Filtering bogus TCP packets

Discussion in 'Cisco' started by David, Jun 3, 2004.

  1. David

    David Guest

    Hi All,

    I'm using a Cisco 2621 router running IOS 12.2, and currently have an
    access list defined to act as a basic firewall. However the Nessus
    security tool uncovers the following problem:

    "
    The remote host does not discard TCP SYN packets which have the FIN
    flag set. Depending on the kind of firewall you are using, an
    attacker may use this flaw to bypass its rules.

    See also: http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
    http://www.kb.cert.org/vuls/id/464113
    "

    Can we set the Cisco router to discard these types of bogus packets?
    For example, the first link above suggests it can be done on a Unix
    box with the following:

    iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
    LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
    packet"
    $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP


    Thanks for any suggestions,

    Dave
    David, Jun 3, 2004
    #1
    1. Advertising

  2. David

    Scooby Guest

    "David" <> wrote in message
    news:...
    > Hi All,
    >
    > I'm using a Cisco 2621 router running IOS 12.2, and currently have an
    > access list defined to act as a basic firewall. However the Nessus
    > security tool uncovers the following problem:
    >
    > "
    > The remote host does not discard TCP SYN packets which have the FIN
    > flag set. Depending on the kind of firewall you are using, an
    > attacker may use this flaw to bypass its rules.
    >
    > See also: http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
    > http://www.kb.cert.org/vuls/id/464113
    > "
    >
    > Can we set the Cisco router to discard these types of bogus packets?
    > For example, the first link above suggests it can be done on a Unix
    > box with the following:
    >
    > iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
    > LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
    > packet"
    > $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP
    >
    >
    > Thanks for any suggestions,
    >
    > Dave


    You must have a line something like this in your access list:

    permit tcp any any established

    The problem here is that the router doesn't really check to see if there is
    a session established. It just checks the packet to see if that bit is set.
    The router sez "If the sender thinks there is a session open, then By God,
    there must be a session open and I'll let the packet through". Not the
    greatest way of doing things, but at one time it did make some sense. There
    lies the difference between basic packet filtering and packet inspection.
    You are much better using the CBAC firewall feature set, if you have it on
    your router. It does true firewall packet inspection and will protect
    against these types of attacks.

    Jim
    Scooby, Jun 3, 2004
    #2
    1. Advertising

  3. David

    X-Eliminator Guest

    "to act as a basic firewall" <----- this sounds like you are saying
    that you have a regular IOS image. Why not just get a firewall image
    that supports reflexive access lists.

    ------------------------------------------------------------------------------------------------------------------
    On 2 Jun 2004 18:32:49 -0700, (David) wrote:

    >Hi All,
    >
    >I'm using a Cisco 2621 router running IOS 12.2, and currently have an
    >access list defined to act as a basic firewall. However the Nessus
    >security tool uncovers the following problem:
    >
    >"
    >The remote host does not discard TCP SYN packets which have the FIN
    >flag set. Depending on the kind of firewall you are using, an
    >attacker may use this flaw to bypass its rules.
    >
    >See also: http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
    >http://www.kb.cert.org/vuls/id/464113
    >"
    >
    >Can we set the Cisco router to discard these types of bogus packets?
    >For example, the first link above suggests it can be done on a Unix
    >box with the following:
    >
    >iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
    >LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
    >packet"
    >$IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP
    >
    >
    >Thanks for any suggestions,
    >
    >Dave
    X-Eliminator, Jun 3, 2004
    #3
  4. David

    Brian Dennis Guest

    As a side note reflexive ACLs are available in all feature sets (IP, IP
    Plus, etc). For CBAC you will need an IOS with the Firewall feature set.

    Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
    bdennis@internetwork(no-spam)expert.com
    Internetwork Expert, Inc.
    http://www.InternetworkExpert.com
    Toll Free: 877-224-8987
    Direct: 775-745-6404 (Outside the US and Canada)



    "X-Eliminator" <> wrote in message
    news:...
    > "to act as a basic firewall" <----- this sounds like you are saying
    > that you have a regular IOS image. Why not just get a firewall image
    > that supports reflexive access lists.
    >
    > --------------------------------------------------------------------------

    ----------------------------------------
    > On 2 Jun 2004 18:32:49 -0700, (David) wrote:
    >
    > >Hi All,
    > >
    > >I'm using a Cisco 2621 router running IOS 12.2, and currently have an
    > >access list defined to act as a basic firewall. However the Nessus
    > >security tool uncovers the following problem:
    > >
    > >"
    > >The remote host does not discard TCP SYN packets which have the FIN
    > >flag set. Depending on the kind of firewall you are using, an
    > >attacker may use this flaw to bypass its rules.
    > >
    > >See also:

    http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
    > >http://www.kb.cert.org/vuls/id/464113
    > >"
    > >
    > >Can we set the Cisco router to discard these types of bogus packets?
    > >For example, the first link above suggests it can be done on a Unix
    > >box with the following:
    > >
    > >iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
    > >LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
    > >packet"
    > >$IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP
    > >
    > >
    > >Thanks for any suggestions,
    > >
    > >Dave

    >
    Brian Dennis, Jun 3, 2004
    #4
  5. On Wed, 02 Jun 2004 18:32:49 -0700, David wrote:

    > Can we set the Cisco router to discard these types of bogus packets? For
    > example, the first link above suggests it can be done on a Unix box with
    > the following:
    >
    > iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j LOG
    > -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus packet"
    > $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j DROP
    >


    See ACL TCP Flags Filtering,
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtaclflg.htm

    It seems something like this would do it:

    !
    ip access-list extended nosynfin
    10 deny tcp any any match-all +SYN +FIN
    !

    --
    Rgds,
    Martin
    Martin Gallagher, Jun 3, 2004
    #5
  6. David

    David Guest

    Hi,

    > You must have a line something like this in your access list:
    >
    > permit tcp any any established
    >
    > The problem here is that the router doesn't really check to see if there is
    > a session established. It just checks the packet to see if that bit is set.
    > The router sez "If the sender thinks there is a session open, then By God,
    > there must be a session open and I'll let the packet through". Not the
    > greatest way of doing things, but at one time it did make some sense. There
    > lies the difference between basic packet filtering and packet inspection.
    > You are much better using the CBAC firewall feature set, if you have it on
    > your router. It does true firewall packet inspection and will protect
    > against these types of attacks.


    Yes, this is something I've gathered. I would like to look into this
    stuff as I believe that we have the firewall feature set. That would
    definitely be the best solution I think.

    However, in the interim I need to try to prevent Nesuss picking up
    this problem. Is there a Cisco equivalent of the iptables example that
    will specifically prevent these kind of invalidly flagged packets
    getting through?

    Kind regards,

    Dave
    David, Jun 3, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin
    Replies:
    1
    Views:
    784
    Walter Roberson
    Nov 10, 2004
  2. DJ Chiro
    Replies:
    1
    Views:
    3,267
    Rowdy Yates
    Nov 7, 2003
  3. john

    tcp/ip vs microsoft tcp/ip ver 6

    john, Aug 5, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    3,426
  4. Pavel Aronovich
    Replies:
    0
    Views:
    530
    Pavel Aronovich
    Feb 22, 2004
  5. george

    Info wanted on tcp/ip port filtering

    george, May 4, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    471
    Colonel Flagg
    May 6, 2004
Loading...

Share This Page