* discard TCP SYN @ 2003-08-06 11:32 Michael K 2003-08-06 12:27 ` Cedric Blancher 2003-08-06 12:43 ` Ralf Spenneberg 0 siblings, 2 replies; 6+ messages in thread From: Michael K @ 2003-08-06 11:32 UTC (permalink / raw) To: netfilter My firewall have default policy to drop (in, out & fwd) Some protocols are open for communications, such as tcp/80, ftp/21 from the internet Then I use stateful inspection, accepting estabished,related. However, the nessus scanner is reporting this: ----- The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487 Nessus ID : 11618 ---- Should I be worried? The remote host is Windows 2000 server. Should I drop syn? iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP regards Klintan ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: discard TCP SYN 2003-08-06 11:32 discard TCP SYN Michael K @ 2003-08-06 12:27 ` Cedric Blancher 2003-08-06 16:43 ` Michael 2003-08-06 12:43 ` Ralf Spenneberg 1 sibling, 1 reply; 6+ messages in thread From: Cedric Blancher @ 2003-08-06 12:27 UTC (permalink / raw) To: Michael K; +Cc: netfilter Le mer 06/08/2003 à 13:32, Michael K a écrit : > Then I use stateful inspection, accepting estabished,related. > However, the nessus scanner is reporting this: > ----- > The remote host does not discard TCP SYN packets which > have the FIN flag set. SYN/FIN packets are valid according to RFC793. RFC specify that if RST and ACK are not set, and SYN is set, packet must get treated as opening a connection without examining other flags. > Depending on the kind of firewall you are using, an > attacker may use this flaw to bypass its rules. Some people say that some firewalls may accept this kind of packets through closed ports. That is not Netfilter's behaviour. > Should I be worried? Not with Netfilter. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: discard TCP SYN 2003-08-06 12:27 ` Cedric Blancher @ 2003-08-06 16:43 ` Michael 0 siblings, 0 replies; 6+ messages in thread From: Michael @ 2003-08-06 16:43 UTC (permalink / raw) To: netfilter > -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Cedric Blancher > Sent: Wednesday, August 06, 2003 2:28 PM > To: Michael K > Cc: netfilter@lists.netfilter.org > Subject: Re: discard TCP SYN > > > Le mer 06/08/2003 à 13:32, Michael K a écrit : > > Then I use stateful inspection, accepting > estabished,related. However, > > the nessus scanner is reporting this: > > ----- > > The remote host does not discard TCP SYN packets which > > have the FIN flag set. > > SYN/FIN packets are valid according to RFC793. RFC specify > that if RST and ACK are not set, and SYN is set, packet must > get treated as opening a connection without examining other flags. > > > Depending on the kind of firewall you are using, an > > attacker may use this flaw to bypass its rules. > > Some people say that some firewalls may accept this kind of > packets through closed ports. That is not Netfilter's behaviour. > > > Should I be worried? > > Not with Netfilter. > Again, hurray for iptables :-) And thank you! /Klintan ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: discard TCP SYN 2003-08-06 11:32 discard TCP SYN Michael K 2003-08-06 12:27 ` Cedric Blancher @ 2003-08-06 12:43 ` Ralf Spenneberg 2003-08-06 16:42 ` Michael K 1 sibling, 1 reply; 6+ messages in thread From: Ralf Spenneberg @ 2003-08-06 12:43 UTC (permalink / raw) To: Michael K; +Cc: Netfilter Am Mit, 2003-08-06 um 13.32 schrieb Michael K: > My firewall have default policy to drop (in, out & fwd) > Some protocols are open for communications, such as tcp/80, ftp/21 from > the internet > Then I use stateful inspection, accepting estabished,related. > However, the nessus scanner is reporting this: > ----- > The remote host does not discard TCP SYN packets which > have the FIN flag set. > > Depending on the kind of firewall you are using, an > attacker may use this flaw to bypass its rules. The better solution would be to only accept SYN Packets which actually are SYN packets. iptables -A FORWARD -p tcp --syn -m state --state NEW -s whatever -j ACCEPT But .... This SYN/FIN stuff comes from an old packetfilter implementation which implemented a very simple SYN test: Is only the SYN-Bit set? Yes, then it is a SYN-packet! If you relied on this test to implement the firewall-rules on this non-stateful packetfilter, you would create two rules: Allow everything from the inside to the outside including SYN. Allow everything from the outside to the inside but SYN. Now, TCP-connection could only be initiated (meaning a SYN could be send) from the inside, right? No, you could send a SYN from the outside, once you have figured out that you needed a second flag set. Well, I wonder what happens if you use SYN/FIN? The firewall passes it and most (all?) operating systems ignore the FIN and operate on the SYN. Connection Established! Remember this is only possible on non-stateful packetfilters (read: These packetfilters do not use connection tracking) Once you use connection tracking that code decides in which direction the connection is initiated. It is not just a matter of the SYN-packet. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: discard TCP SYN 2003-08-06 12:43 ` Ralf Spenneberg @ 2003-08-06 16:42 ` Michael K 2003-08-07 5:50 ` Ralf Spenneberg 0 siblings, 1 reply; 6+ messages in thread From: Michael K @ 2003-08-06 16:42 UTC (permalink / raw) To: 'Netfilter' Thank you. So iptables that uses connection-tracking is safe. And the old ipchains is not, including the old ipfwadm? Hurray for iptables :-) /Klintan > -----Original Message----- > From: netfilter-admin@lists.netfilter.org > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > Ralf Spenneberg > Sent: Wednesday, August 06, 2003 2:43 PM > To: Michael K > Cc: Netfilter > Subject: Re: discard TCP SYN > > > Am Mit, 2003-08-06 um 13.32 schrieb Michael K: > > My firewall have default policy to drop (in, out & fwd) > > Some protocols are open for communications, such as tcp/80, ftp/21 > > from the internet Then I use stateful inspection, accepting > > estabished,related. However, the nessus scanner is reporting this: > > ----- > > The remote host does not discard TCP SYN packets which > > have the FIN flag set. > > > > Depending on the kind of firewall you are using, an > > attacker may use this flaw to bypass its rules. > > The better solution would be to only accept SYN Packets which > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m > state --state NEW -s whatever -j ACCEPT > > But .... > This SYN/FIN stuff comes from an old packetfilter > implementation which implemented a very simple SYN test: Is > only the SYN-Bit set? Yes, then it is a SYN-packet! If you > relied on this test to implement the firewall-rules on this > non-stateful packetfilter, you would create two rules: > > Allow everything from the inside to the outside including > SYN. Allow everything from the outside to the inside but SYN. > > Now, TCP-connection could only be initiated (meaning a SYN could be > send) from the inside, right? No, you could send a SYN from > the outside, once you have figured out that you needed a > second flag set. > Well, I wonder what happens if you use SYN/FIN? The firewall > passes it and most (all?) operating systems ignore the FIN > and operate on the SYN. Connection Established! > > Remember this is only possible on non-stateful packetfilters > (read: These packetfilters do not use connection tracking) > > Once you use connection tracking that code decides in which > direction the connection is initiated. It is not just a > matter of the SYN-packet. > > Cheers, > > Ralf > -- > Ralf Spenneberg > RHCE, RHCX > > Book: Intrusion Detection für Linux Server http://www.spenneberg.com > IPsec-Howto http://www.ipsec-howto.org > Honeynet Project Mirror: > http://honeynet.spenneberg.org > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: discard TCP SYN 2003-08-06 16:42 ` Michael K @ 2003-08-07 5:50 ` Ralf Spenneberg 0 siblings, 0 replies; 6+ messages in thread From: Ralf Spenneberg @ 2003-08-07 5:50 UTC (permalink / raw) To: Michael K; +Cc: 'Netfilter' Am Mit, 2003-08-06 um 18.42 schrieb Michael K: > Thank you. > > So iptables that uses connection-tracking is safe. And the old ipchains > is not, including the old ipfwadm? > Hurray for iptables :-) Well, kind of. The old ipchains had a safe syn check. Manpage extract: -y, --syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. But when using iptables' connection tracking you are usually safe. Cheers, Ralf > > /Klintan > > > -----Original Message----- > > From: netfilter-admin@lists.netfilter.org > > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of > > Ralf Spenneberg > > Sent: Wednesday, August 06, 2003 2:43 PM > > To: Michael K > > Cc: Netfilter > > Subject: Re: discard TCP SYN > > > > > > Am Mit, 2003-08-06 um 13.32 schrieb Michael K: > > > My firewall have default policy to drop (in, out & fwd) > > > Some protocols are open for communications, such as tcp/80, ftp/21 > > > from the internet Then I use stateful inspection, accepting > > > estabished,related. However, the nessus scanner is reporting this: > > > ----- > > > The remote host does not discard TCP SYN packets which > > > have the FIN flag set. > > > > > > Depending on the kind of firewall you are using, an > > > attacker may use this flaw to bypass its rules. > > > > The better solution would be to only accept SYN Packets which > > actually are SYN packets. iptables -A FORWARD -p tcp --syn -m > > state --state NEW -s whatever -j ACCEPT > > > > But .... > > This SYN/FIN stuff comes from an old packetfilter > > implementation which implemented a very simple SYN test: Is > > only the SYN-Bit set? Yes, then it is a SYN-packet! If you > > relied on this test to implement the firewall-rules on this > > non-stateful packetfilter, you would create two rules: > > > > Allow everything from the inside to the outside including > > SYN. Allow everything from the outside to the inside but SYN. > > > > Now, TCP-connection could only be initiated (meaning a SYN could be > > send) from the inside, right? No, you could send a SYN from > > the outside, once you have figured out that you needed a > > second flag set. > > Well, I wonder what happens if you use SYN/FIN? The firewall > > passes it and most (all?) operating systems ignore the FIN > > and operate on the SYN. Connection Established! > > > > Remember this is only possible on non-stateful packetfilters > > (read: These packetfilters do not use connection tracking) > > > > Once you use connection tracking that code decides in which > > direction the connection is initiated. It is not just a > > matter of the SYN-packet. > > > > Cheers, > > > > Ralf > > -- > > Ralf Spenneberg > > RHCE, RHCX > > > > Book: Intrusion Detection für Linux Server http://www.spenneberg.com > > IPsec-Howto http://www.ipsec-howto.org > > Honeynet Project Mirror: > > http://honeynet.spenneberg.org > > > > -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-08-07 5:50 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-08-06 11:32 discard TCP SYN Michael K 2003-08-06 12:27 ` Cedric Blancher 2003-08-06 16:43 ` Michael 2003-08-06 12:43 ` Ralf Spenneberg 2003-08-06 16:42 ` Michael K 2003-08-07 5:50 ` Ralf Spenneberg
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox