Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS...

From: Zeke Gibson [STI] (zeke@silastech.com)
Date: 02/06/02


From: "Zeke Gibson [STI]" <zeke@silastech.com>
To: "David P. Maynard" <dpm@flametree.com>
Date: Tue, 5 Feb 2002 17:20:55 -0800

David,

I found your notes very interesting, and I too must agree that Cisco's
published
configuration example is less-than ideal. What about the ip verify
reverse-path command?
First introduced in PIX OS 4.4, notes at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/relnotes/p
ixrn445.htm#xtocid2419610

I agree that simply configuring the NAT statement to allow any inside host
to establish an outbound
connection and occupy an xlate slot is sloppy, and I recommend that explicit
network identifiers always
be used when associating a NAT identifier to a global pool. I was just
curious as to your thoughts about
reverse-path?

Thanks in advance,

********************************************
Zeke Gibson, Sr. Systems Engineer
Cisco CCNP/CCDP, MCSE, CCEA
Silas Technologies Inc.
Cisco Premier / Aironet Specialized
www.silastech.com
********************************************

----- Original Message -----
From: "David P. Maynard" <dpm@flametree.com>
To: <bugtraq@securityfocus.com>
Sent: Saturday, February 02, 2002 4:34 PM
Subject: Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS...

>
> clathem@skyhawke.com said:
> > Problem: NetScreen ScreenOS 2.6.1 subject to Trust Interface DoS
> > Attack
> >...
> > Exploit: Someone within the trusted side of the network can attempt a
> > portscan on an external IP address. When the scan runs it appears to
> > consume all of the available sessions. This, in turn, causes a DoS
> > to the entire trusted interface.
>
> For what it's worth, the instructions that Cisco publishes on how to
> configure the PIX firewall will make many users subject to a similar DOS
> attack.
>
> Cisco's published examples (at least the ones I have seen) on how to
> configure NAT for the PIX all show the following command:
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> The "1" is the global NAT pool identifier and the "0.0.0.0 0.0.0.0" is the
> address and netmask of addresses that are allowed to use the pool. In
> other words, any source IP on the inside interface is allowed to use
> global NAT pool 1.
>
> Given this configuration and a limited NAT pool, any machine on the inside
> network can create a DOS situation by launching a large number of outbound
> connections using random source IPs. Each random source IP will occupy
> one slot on the NAT table until they are all exhausted. Adding an
> "overload" or "PAT" address will mitigate the situation, but still isn't a
> "fix."
>
> A much better configuration is to restrict access to the NAT pool to valid
> source IPs on your local network. For example, if your inside network
> uses 192.168.0.0/24 and 192.168.5.0/24, then use:
>
> nat (inside) 1 192.168.0.0 255.255.255.0 0 0
> nat (inside) 1 192.168.5.0 255.255.255.0 0 0
>
> With all of the publicity over the past few years about proper egress
> filtering at border routers, you would think that more people would catch
> this problem. Unfortunately, I can safely say that I have never seen a
> PIX configured by anyone else that restricted NAT access to valid source
> IPs. Some of these boxes had been configured by end-users who were just
> reading the docs and wouldn't know any better. Unfortunately, a fair
> number of them had been configured by high-dollar network consultants (who
> apparently didn't know any better either).
>
> It is possible that PIX OS has a recent feature that can mitigate the
> impact of this problem, but I have seen it take down entire sites back
> when smurf attacks first came around. In any event, it is always a good
> idea to validate the source IPs leaving your network.
>
> -dpm
>
>
> --
> David P. Maynard, CTO
> OutServ.net, Inc. -- Managed IT Operations Solutions [TM]
> EMail: dmaynard@outserv.net, Tel: +1 512 977 8918, Fax: +1 512 977 0986
> --
>
>



Relevant Pages

  • Re: SBS 2003 Misconfigured?
    ... I could 'guess' that the configuration, as you described it, is the netopia ... configured as a bridge and the netgear as the NAT device. ...
    (microsoft.public.windows.server.sbs)
  • Re: High CPU util on 3825
    ... There are plenty of NAT and access lists available. ... Below is a stripped version of the configuration. ... ip inspect name firewall cuseeme timeout 3600 ... crypto pki certificate chain TP-self-signed-4150674149 ...
    (comp.dcom.sys.cisco)
  • c2821 vpn with bgp problem
    ... crypto isakmp client configuration group VPN ... crypto map dynmap client authentication list userauthen ... ip nat inside ... interface GigabitEthernet0/0 ...
    (comp.dcom.sys.cisco)
  • Weird NAT/Routing Issue.
    ... utilizing NAT to connect their network to their ISP. ... IP address configured in a /30 as the router inteface IP, ... The relevant portion of the configuration looks ... simply ping one IP address on the internet so that there is outbound traffic ...
    (comp.dcom.sys.cisco)
  • Re: Windows 2K3 and Virtual Server 2005 guests NAT problem
    ... The first thing to check is that you have configured NAT correctly. ... internal network. ... in seeing the actual configuration and what your settings are. ... If you have configured DNS on the host and have set your vms to use ...
    (microsoft.public.windows.server.networking)