discard TCP SYN

discard TCP SYN

[Michael K]

My firewall have default policy to drop (in, out & fwd)
Some protocols are open for communications, such as tcp/80, ftp/21 from
the internet
Then I use stateful inspection, accepting estabished,related.
However, the nessus scanner is reporting this:
-----
The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also :
http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618
----
Should I be worried? The remote host is Windows 2000 server.
Should I drop syn? iptables -A FORWARD -p tcp --tcp-flags SYN,FIN
SYN,FIN -j DROP

regards Klintan

Re: discard TCP SYN

[Cedric Blancher]

Le mer 06/08/2003 à 13:32, Michael K a écrit :
> Then I use stateful inspection, accepting estabished,related.
> However, the nessus scanner is reporting this:
> -----
> The remote host does not discard TCP SYN packets which
> have the FIN flag set.

SYN/FIN packets are valid according to RFC793. RFC specify that if RST
and ACK are not set, and SYN is set, packet must get treated as opening
a connection without examining other flags.

> Depending on the kind of firewall you are using, an
> attacker may use this flaw to bypass its rules.

Some people say that some firewalls may accept this kind of packets
through closed ports. That is not Netfilter's behaviour.

> Should I be worried? 

Not with Netfilter.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: discard TCP SYN

[Ralf Spenneberg]

Am Mit, 2003-08-06 um 13.32 schrieb Michael K:
> My firewall have default policy to drop (in, out & fwd)
> Some protocols are open for communications, such as tcp/80, ftp/21 from
> the internet
> Then I use stateful inspection, accepting estabished,related.
> However, the nessus scanner is reporting this:
> -----
> The remote host does not discard TCP SYN packets which
> have the FIN flag set.
> 
> Depending on the kind of firewall you are using, an
> attacker may use this flaw to bypass its rules.

The better solution would be to only accept SYN Packets which actually
are SYN packets.
iptables -A FORWARD -p tcp --syn -m state --state NEW -s whatever -j
ACCEPT

But ....
This SYN/FIN stuff comes from an old packetfilter implementation which
implemented a very simple SYN test:
Is only the SYN-Bit set? Yes, then it is a SYN-packet!
If you relied on this test to implement the firewall-rules on this
non-stateful packetfilter, you would create two rules:

Allow everything from the inside to the outside including SYN.
Allow everything from the outside to the inside but SYN.

Now, TCP-connection could only be initiated (meaning a SYN could be
send) from the inside, right? No, you could send a SYN from the outside,
once you have figured out that you needed a second flag set. 
Well, I wonder what happens if you use SYN/FIN? The firewall passes it
and most (all?) operating systems ignore the FIN and operate on the SYN.
Connection Established!

Remember this is only possible on non-stateful packetfilters (read:
These packetfilters do not use connection tracking)

Once you use connection tracking that code decides in which direction
the connection is initiated. It is not just a matter of the SYN-packet.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

RE: discard TCP SYN

[Michael K]

Thank you.
 
So iptables that uses connection-tracking is safe. And the old ipchains
is not, including the old ipfwadm?
Hurray for iptables :-)

/Klintan

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Ralf Spenneberg
> Sent: Wednesday, August 06, 2003 2:43 PM
> To: Michael K
> Cc: Netfilter
> Subject: Re: discard TCP SYN
> 
> 
> Am Mit, 2003-08-06 um 13.32 schrieb Michael K:
> > My firewall have default policy to drop (in, out & fwd)
> > Some protocols are open for communications, such as tcp/80, ftp/21 
> > from the internet Then I use stateful inspection, accepting 
> > estabished,related. However, the nessus scanner is reporting this:
> > -----
> > The remote host does not discard TCP SYN packets which
> > have the FIN flag set.
> > 
> > Depending on the kind of firewall you are using, an
> > attacker may use this flaw to bypass its rules.
> 
> The better solution would be to only accept SYN Packets which 
> actually are SYN packets. iptables -A FORWARD -p tcp --syn -m 
> state --state NEW -s whatever -j ACCEPT
> 
> But ....
> This SYN/FIN stuff comes from an old packetfilter 
> implementation which implemented a very simple SYN test: Is 
> only the SYN-Bit set? Yes, then it is a SYN-packet! If you 
> relied on this test to implement the firewall-rules on this 
> non-stateful packetfilter, you would create two rules:
> 
> Allow everything from the inside to the outside including 
> SYN. Allow everything from the outside to the inside but SYN.
> 
> Now, TCP-connection could only be initiated (meaning a SYN could be
> send) from the inside, right? No, you could send a SYN from 
> the outside, once you have figured out that you needed a 
> second flag set. 
> Well, I wonder what happens if you use SYN/FIN? The firewall 
> passes it and most (all?) operating systems ignore the FIN 
> and operate on the SYN. Connection Established!
> 
> Remember this is only possible on non-stateful packetfilters 
> (read: These packetfilters do not use connection tracking)
> 
> Once you use connection tracking that code decides in which 
> direction the connection is initiated. It is not just a 
> matter of the SYN-packet.
> 
> Cheers,
> 
> Ralf
> -- 
> Ralf Spenneberg
> RHCE, RHCX
> 
> Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> IPsec-Howto				     http://www.ipsec-howto.org
> Honeynet Project Mirror:                     
> http://honeynet.spenneberg.org
> 
> 

RE: discard TCP SYN

[Michael]

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Cedric Blancher
> Sent: Wednesday, August 06, 2003 2:28 PM
> To: Michael K
> Cc: netfilter@lists.netfilter.org
> Subject: Re: discard TCP SYN
> 
> 
> Le mer 06/08/2003 à 13:32, Michael K a écrit :
> > Then I use stateful inspection, accepting 
> estabished,related. However, 
> > the nessus scanner is reporting this:
> > -----
> > The remote host does not discard TCP SYN packets which
> > have the FIN flag set.
> 
> SYN/FIN packets are valid according to RFC793. RFC specify 
> that if RST and ACK are not set, and SYN is set, packet must 
> get treated as opening a connection without examining other flags.
> 
> > Depending on the kind of firewall you are using, an
> > attacker may use this flaw to bypass its rules.
> 
> Some people say that some firewalls may accept this kind of 
> packets through closed ports. That is not Netfilter's behaviour.
> 
> > Should I be worried?
> 
> Not with Netfilter.
> 

Again, hurray for iptables :-)

And thank you!

/Klintan

RE: discard TCP SYN

[Ralf Spenneberg]

Am Mit, 2003-08-06 um 18.42 schrieb Michael K:
> Thank you.
>  
> So iptables that uses connection-tracking is safe. And the old ipchains
> is not, including the old ipfwadm?
> Hurray for iptables :-)
Well, kind of. The old ipchains had a safe syn check. 
Manpage extract:
 -y, --syn       Only match TCP packets with the SYN bit set and the
              	  ACK and FIN bits cleared.

But when using iptables' connection tracking you are usually safe.

Cheers,

Ralf
> 
> /Klintan
> 
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org 
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> > Ralf Spenneberg
> > Sent: Wednesday, August 06, 2003 2:43 PM
> > To: Michael K
> > Cc: Netfilter
> > Subject: Re: discard TCP SYN
> > 
> > 
> > Am Mit, 2003-08-06 um 13.32 schrieb Michael K:
> > > My firewall have default policy to drop (in, out & fwd)
> > > Some protocols are open for communications, such as tcp/80, ftp/21 
> > > from the internet Then I use stateful inspection, accepting 
> > > estabished,related. However, the nessus scanner is reporting this:
> > > -----
> > > The remote host does not discard TCP SYN packets which
> > > have the FIN flag set.
> > > 
> > > Depending on the kind of firewall you are using, an
> > > attacker may use this flaw to bypass its rules.
> > 
> > The better solution would be to only accept SYN Packets which 
> > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m 
> > state --state NEW -s whatever -j ACCEPT
> > 
> > But ....
> > This SYN/FIN stuff comes from an old packetfilter 
> > implementation which implemented a very simple SYN test: Is 
> > only the SYN-Bit set? Yes, then it is a SYN-packet! If you 
> > relied on this test to implement the firewall-rules on this 
> > non-stateful packetfilter, you would create two rules:
> > 
> > Allow everything from the inside to the outside including 
> > SYN. Allow everything from the outside to the inside but SYN.
> > 
> > Now, TCP-connection could only be initiated (meaning a SYN could be
> > send) from the inside, right? No, you could send a SYN from 
> > the outside, once you have figured out that you needed a 
> > second flag set. 
> > Well, I wonder what happens if you use SYN/FIN? The firewall 
> > passes it and most (all?) operating systems ignore the FIN 
> > and operate on the SYN. Connection Established!
> > 
> > Remember this is only possible on non-stateful packetfilters 
> > (read: These packetfilters do not use connection tracking)
> > 
> > Once you use connection tracking that code decides in which 
> > direction the connection is initiated. It is not just a 
> > matter of the SYN-packet.
> > 
> > Cheers,
> > 
> > Ralf
> > -- 
> > Ralf Spenneberg
> > RHCE, RHCX
> > 
> > Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> > IPsec-Howto				     http://www.ipsec-howto.org
> > Honeynet Project Mirror:                     
> > http://honeynet.spenneberg.org
> > 
> > 
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org