[c-nsp] FW: Cisco Security Response: [Full-disclosure] Cisco PIX TCP Connection Prevention

Andrew Yourtchenko ayourtch at cisco.com
Wed Nov 23 23:02:51 EST 2005


>
> Is this information going to be added to the official advisory?
>

I've updated the release-note for CSCsc14915 - take a look and let me know 
if you find something there as needing improvement. If there's no changes 
to this text - during the daytime I'll update the other release-note.

Well, at this line I take off my 'official' hat - and below goes something 
which bugs me personally, and anything under this paragraph is purely 
to be attributed to me and not to my employer <.. all other favourite 
disclaimers here, etc, etc, etc.. :) >

The thing that bugs me about this subject is as follows:

Facts:

1) The successful attack on the about-to-happen communication between
Alice and Bob requires the bad guy Harry to know Alice IP address+port,
and Bob IP address. More over, this attack does not prevent Charlie and 
Diana to
still happily talk to Alice through the firewall. Right ?

2) Mounting of the attack requires Harry to keep up 65535 connections in
the embryonic state - per _each_ pair of addresses that he wants to
deprive of communications. (So, e.g. kicking Bob, Charlie, and
Diana would mean 3*65535 = 196605 embryonic connections) Right ?

3) To perform the successful attack on Alice+Bob, Harry must spoof Bob's 
address, right ?

With this in mind, a few questions that make me wonder:

1) Assuming someone would be a security administrator - how quickly a
delta of 65 _thousand_ _embryonic_ connections (X times that in case of 
multiple client-server pairs) might get interesting for this person to 
start investigating what is going on and pursuing the appropriate venues
similarly to any other incident ?

1a) 65000 unanswered SYNs in 120 seconds (6.3) or 30 seconds (7.0) - this 
obviously does not trigger any IDSes or any anomaly-monitoring systems ?

2) Noone these days is doing any RPF checks on the access routers in the 
first place, so anyone can just send packets from anywhere with any source 
IP ?

(I do not disregard the possibility of having Harry somewhere in the core, 
just guessimating the possibility of having him there _and_ assuming 
he would use this method in favour of something much smarter)

I can think of some situations where this might bring inconveniences of 
varying extent - but my understanding is that they are relatively corner cases.
If you can think of something major - understanding what it is would 
definitely help. So far I just do not see anything gross in this - but 
maybe I need an eye check - please help :-)


thanks,
andrew


More information about the cisco-nsp mailing list