Re: CERT VU#539363

From: Mike Hoskins (mike@adept.org)
Date: 10/17/02 

Date: Thu, 17 Oct 2002 00:44:28 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: David Schultz <dschultz@uclink.Berkeley.EDU>

On Wed, 16 Oct 2002, David Schultz wrote:
> Thus spake Mike Hoskins <mike@adept.org>:
> FreeBSD's ipfw isn't vulnerable because it doesn't do application
> layer filtering. On the other hand, ipfilter is potentially
> susceptible, probably depending on the FTP server you use.

Are you thinking of VU#328867? Take a look at 539363 (which you indicate
you haven't read below). 539353 certainly does affect ipfw, or any
stateful firewall, from what I can see. It's not a question of whether a
given implementation is or isn't vulnerable so much as a question of which
implementations best deal with this type of (ab)use.

> > "Use firewall features that detect and block flood traffic"
> [...]
> > "Use dynamically resizeable state tables"
> [...]
> Your criticisms here are well-founded; these suggestions do not
> fix the resource exhausion problem. However, you have to realize
> that a stateful firewall is inherently vulnerable to this kind of
> attack.

Note that the points above (in quotes) were from the CERT VU, I was just
commenting on their reccomendations and attempting to draw
FreeBSD-specific corollaries.

> I haven't read the
> list of suggestions you're referring to, but the suggestions
> probably assume that the administrator requires a stateful
> firewall, in which case the best you can possibly do is manage
> that (theoretically unbounded) state intelligently.

"[T]he best you can possibly do is manage that ..." I learned and
accepted that about stateful firewalls long ago. My only real point was
ensuring we handle things as gracefully as possible and possibly provide
an official response to CERT.

> I believe that's the idea. IPFW doesn't do this; it simply stops
> creating new dynamic rules when the table is full. I think
> there's lots of room for DOS resistance here; you could imagine
> separate per-rule or per-source quotas on dynamic rules, for
> example.

I noticed a lot of big names haven't replied (Cisco). I'd like to know
how the PIX' "adaptive security" algorithms handle this - a first clue
will be seeing their response.

> If you turn off statefulness, you lose some expressiveness, and
> you may consequently allow or restrict more than you intended to.

Indeed, I never intended to suggest configuring a "static" firewall as a
valid option for most stateful installations. I believe that was an
intended reccomendation from CERT, however, in their typically vague and
overly broad manner. ;)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message