[c-nsp] FW: Cisco Security Response: [Full-disclosure] Cisco
PIX TCP Connection Prevention
Andrew Yourtchenko
ayourtch at cisco.com
Wed Nov 23 23:02:51 EST 2005
>
> Is this information going to be added to the official advisory?
>
I've updated the release-note for CSCsc14915 - take a look and let me know
if you find something there as needing improvement. If there's no changes
to this text - during the daytime I'll update the other release-note.
Well, at this line I take off my 'official' hat - and below goes something
which bugs me personally, and anything under this paragraph is purely
to be attributed to me and not to my employer <.. all other favourite
disclaimers here, etc, etc, etc.. :) >
The thing that bugs me about this subject is as follows:
Facts:
1) The successful attack on the about-to-happen communication between
Alice and Bob requires the bad guy Harry to know Alice IP address+port,
and Bob IP address. More over, this attack does not prevent Charlie and
Diana to
still happily talk to Alice through the firewall. Right ?
2) Mounting of the attack requires Harry to keep up 65535 connections in
the embryonic state - per _each_ pair of addresses that he wants to
deprive of communications. (So, e.g. kicking Bob, Charlie, and
Diana would mean 3*65535 = 196605 embryonic connections) Right ?
3) To perform the successful attack on Alice+Bob, Harry must spoof Bob's
address, right ?
With this in mind, a few questions that make me wonder:
1) Assuming someone would be a security administrator - how quickly a
delta of 65 _thousand_ _embryonic_ connections (X times that in case of
multiple client-server pairs) might get interesting for this person to
start investigating what is going on and pursuing the appropriate venues
similarly to any other incident ?
1a) 65000 unanswered SYNs in 120 seconds (6.3) or 30 seconds (7.0) - this
obviously does not trigger any IDSes or any anomaly-monitoring systems ?
2) Noone these days is doing any RPF checks on the access routers in the
first place, so anyone can just send packets from anywhere with any source
IP ?
(I do not disregard the possibility of having Harry somewhere in the core,
just guessimating the possibility of having him there _and_ assuming
he would use this method in favour of something much smarter)
I can think of some situations where this might bring inconveniences of
varying extent - but my understanding is that they are relatively corner cases.
If you can think of something major - understanding what it is would
definitely help. So far I just do not see anything gross in this - but
maybe I need an eye check - please help :-)
thanks,
andrew
More information about the cisco-nsp
mailing list