[c-nsp] Firewalls in front of Internet servers

[Joel M Snyder]

Peter Rathlev wrote:
> On Mon, 2009-10-12 at 09:19 -0700, Joel M Snyder wrote:
>> You may remember last year's "the Internet is falling and only Dan 
>> Kaminsky can explain it" flap around DNS.  Well, a lot of the
>> discussion around this bug/problem/issue ignored the truth that a good
>> firewall prevented the attack directly, by knowing enough 'deep packet
>> smarts' around the DNS protocol that the attack scenario was
>> effectively blocked (hey, that's why we have a session table in the
>> first place!).
> 
> The "Kaminsky attack" only makes sense towards recursive resolvers, and
> I think most posters here are thinking about authoritative Internet
> facing nameservers. Who runs a recursive nameserver open towards the
> Internet now adays?

Well, if "nowadays" is "the day before the Kaminsky press..." then I'd 
say "all kinds of people." Including prominent NANOG contributors.  I 
suspect most of those folks have cleaned up their acts since then, but I 
have learned never to be surprised at the level of security as actually 
deployed.

And I don't even have a seat-of-the-pants number to throw out, but I'd 
bet that you'd be surprised if you did a little survey at how many 
recursive resolvers are reachable from the general purpose Internet.

> 
> Even so: The nameservers make outbound requests and for those it sort of
> does make sense to have stateful inspection. Except AFAIK the Kaminsky
> attack works with spoofed answers, i.e. spoofing both source IP and
> ports and query ID. How would a firewall (including DPI) catch this? By
> randomizing source ports or query IDs like TCP sequence number
> randomization? I'm not sure I agree that's a good idea. By denying all
> but one answers? Perfect way to DoS yourself.

I don't see that as a DoS issue.  Let's say that the firewall has an 
idea that a DNS query should have only one answer (which would be 
correct).  If you start to get multiple answers for each query, then 
wouldn't that be something you'd want to know about?  We're not talking 
about port scanning here; we're talking about clearly broken 
behavior--either a broken DNS server which is multi-replying to queries 
or some third party trying to inject bad juju.

Yes, it turns out that almost anything the security people put in place 
can be used by a malicious attacker to create a DoS.  For example, if I 
know you have a <deleted> brand firewall, I can send a medium-size ZIP 
files, better double-ZIPped (more is suspicious), through the firewall 
with email and watch those little files have an impact equal to 10x 
their normal bandwidth.

Even if you have NO security hardware in place, by knowing your routing 
infrastructure and desire to patch, I can cause DoS attacks with crafty 
choice of traffic designed to either cause disproportionate load or, 
even better, a nice reload every once in a while.

Yes, I'll acknowledge that the security hardware is MUCH more 
susceptible to this kind of attack.  I was in the lab a few months ago 
with a massive IPS from <deleted> and accidentally chose the "wrong" 
port to send throughput test traffic on, and watched that box go from 
40Gbps to about 2Gbps.

Now, maybe this is NANOG and ISPs operate in a 'we're just a utility 
company; you buy your own water softener or surge suppressor' mindset. 
But a lot of the thinking that goes into engineering large ISP networks 
is applicable to large enterprise networks, and vice versa.  I see 
organizations in the carrier business who a few years ago would never 
dream of anything but the lightest of ACLs across their infrastructure 
now investing in big firewalls and other tools to provide security.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms