* Which "illegal" tcp-fragments should be blocked?
@ 2008-11-24 17:01 JC Janos
2008-11-25 14:11 ` Gáspár Lajos
0 siblings, 1 reply; 5+ messages in thread
From: JC Janos @ 2008-11-24 17:01 UTC (permalink / raw)
To: Mail List - Netfilter
I've read on numerous sites, and in bunches of examples, that "illegal
tcp fragments" should be blocked early in a firewall rule set.
As I understand it, the rule takes the form,
iptables -A INPUT -p tcp --tcp-flags "mask" "comp" -j DROP
Every source I read seems to match & block a different combination of
fragments. So far, the list of "block these" mask/comp pairs that
I've come across are:
"mask" "comp"
---------------- ----------------
ALL ALL
ALL NONE
ALL FIN,URG,PSH
ALL FIN,URG,PSH
ALL SYN,RST,ACK,FIN,URG
ACK ACK
FIN,ACK FIN
FIN,URG,PSH FIN,URG,PSH
SYN NONE
SYN,RST SYN,RST
SYN,FIN,RST,ACK NONE
SYN,FIN,RST,ACK,URG NONE
SYN,FIN SYN,FIN
SYN,FIN,RST,ACK FIN
SYN,FIN,RST,ACK,URG URG
SYN,FIN SYN,FIN
SYN,FIN,RST,ACK SYN,FIN
SYN,FIN,RST,ACK,URG,PSH,ECE,CWR FIN,URG,PSH
SYN,FIN,RST,ACK,URG SYN,FIN,RST,ACK,URG
SYN,FIN,RST,ACK,URG,PSH SYN,FIN,RST,ACK,URG,PSH
Which of these are really valid targets to block? Each of the pairs
is blocked at least sometimes; noone I've found so far blocks them
all. Is this list even complete?
Thanks.
--JC
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Which "illegal" tcp-fragments should be blocked?
2008-11-24 17:01 Which "illegal" tcp-fragments should be blocked? JC Janos
@ 2008-11-25 14:11 ` Gáspár Lajos
2008-11-26 17:00 ` JC Janos
0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2008-11-25 14:11 UTC (permalink / raw)
To: JC Janos, Netfilter list
Hi!
I use the following five combination to filter bogous packets:
ALL NONE
ALL URG,PSH,FIN
RST,SYN RST,SYN
RST,FIN RST,FIN
SYN,FIN SYN,FIN
Swifty
JC Janos írta:
> I've read on numerous sites, and in bunches of examples, that "illegal
> tcp fragments" should be blocked early in a firewall rule set.
>
> As I understand it, the rule takes the form,
>
> iptables -A INPUT -p tcp --tcp-flags "mask" "comp" -j DROP
>
> Every source I read seems to match & block a different combination of
> fragments. So far, the list of "block these" mask/comp pairs that
> I've come across are:
>
> "mask" "comp"
> ---------------- ----------------
> ALL ALL
> ALL NONE
> ALL FIN,URG,PSH
> ALL FIN,URG,PSH
> ALL SYN,RST,ACK,FIN,URG
> ACK ACK
> FIN,ACK FIN
> FIN,URG,PSH FIN,URG,PSH
> SYN NONE
> SYN,RST SYN,RST
> SYN,FIN,RST,ACK NONE
> SYN,FIN,RST,ACK,URG NONE
> SYN,FIN SYN,FIN
> SYN,FIN,RST,ACK FIN
> SYN,FIN,RST,ACK,URG URG
> SYN,FIN SYN,FIN
> SYN,FIN,RST,ACK SYN,FIN
> SYN,FIN,RST,ACK,URG,PSH,ECE,CWR FIN,URG,PSH
> SYN,FIN,RST,ACK,URG SYN,FIN,RST,ACK,URG
> SYN,FIN,RST,ACK,URG,PSH SYN,FIN,RST,ACK,URG,PSH
>
> Which of these are really valid targets to block? Each of the pairs
> is blocked at least sometimes; noone I've found so far blocks them
> all. Is this list even complete?
>
> Thanks.
>
> --JC
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Which "illegal" tcp-fragments should be blocked?
2008-11-25 14:11 ` Gáspár Lajos
@ 2008-11-26 17:00 ` JC Janos
2008-11-27 14:58 ` Gáspár Lajos
0 siblings, 1 reply; 5+ messages in thread
From: JC Janos @ 2008-11-26 17:00 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: Netfilter list
Gaspar,
2008/11/25 Gáspár Lajos <swifty@freemail.hu>:
> Hi!
>
> I use the following five combination to filter bogous packets:
Why those in particular, and not the others? Your set also adds one
mask/comp pair,
RST,FIN RST,FIN
It seems that just about every example uses a different combination of
fragment rules. I'm simply wondering what the logic in choosing one
over the other is.
Is there maybe some documentation you can point to?
--JC
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Which "illegal" tcp-fragments should be blocked?
2008-11-26 17:00 ` JC Janos
@ 2008-11-27 14:58 ` Gáspár Lajos
2008-11-27 16:10 ` JC Janos
0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2008-11-27 14:58 UTC (permalink / raw)
To: JC Janos, Netfilter list
Hi,
After sending you my list I found some bugs. :D
We have the following flags:
(http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)
URG, ACK, PSH, RST, SYN, FIN
There are 64 (=2 to the power 6) variations possible.
So here is my new INVALID list:
ACK,SYN,FIN,RST NONE --> -4 variations. (PSH and URG never should be
set alone.)
RST,SYN RST,SYN --> -16 variations.
RST,FIN RST,FIN --> -8 variations.
SYN,FIN SYN,FIN --> -8 variations.
After this we have 28 "valid" variations.
If we do not check PSH and URG flags then only these 7 combinations are
valid:
RST
FIN
SYN
ACK
ACK-RST
ACK-FIN
ACK-SYN
I do not know if there is any restrictions of using PSH and URG flags...
In three-way handshake we see: SYN, SYN-ACK, ACK.
In connection termination: FIN, ACK, FIN-ACK.
Check this too: http://kerneltrap.org/node/3072
Swifty
JC Janos írta:
> Gaspar,
>
> 2008/11/25 Gáspár Lajos <swifty@freemail.hu>:
>
>> Hi!
>>
>> I use the following five combination to filter bogous packets:
>>
>
> Why those in particular, and not the others? Your set also adds one
> mask/comp pair,
>
> RST,FIN RST,FIN
>
> It seems that just about every example uses a different combination of
> fragment rules. I'm simply wondering what the logic in choosing one
> over the other is.
>
> Is there maybe some documentation you can point to?
>
> --JC
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Which "illegal" tcp-fragments should be blocked?
2008-11-27 14:58 ` Gáspár Lajos
@ 2008-11-27 16:10 ` JC Janos
0 siblings, 0 replies; 5+ messages in thread
From: JC Janos @ 2008-11-27 16:10 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: Netfilter list
Hi,
2008/11/27 Gáspár Lajos <swifty@freemail.hu>:
> So here is my new INVALID list:
>
> ACK,SYN,FIN,RST NONE --> -4 variations. (PSH and URG never should be set
> alone.)
> RST,SYN RST,SYN --> -16 variations.
> RST,FIN RST,FIN --> -8 variations.
> SYN,FIN SYN,FIN --> -8 variations.
Thanks for the explanation & references! I'm beginning to understand
why you've made your choices. Just for reference, I've also found the
info on the CHAOS target here
(http://jengelh.medozas.de/projects/chaostables/) to be helpful.
I am still unclear about some of these 'other' invalid mask/comp pairs
I see ... For example,
SYN,FIN,RST,ACK,URG,PUSH,ECE,CWR FIN,URG,PUSH
Is this pair already included as a subset of your 36 invalid combos?
Or is it yet something different?
--JC
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-11-27 16:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-24 17:01 Which "illegal" tcp-fragments should be blocked? JC Janos
2008-11-25 14:11 ` Gáspár Lajos
2008-11-26 17:00 ` JC Janos
2008-11-27 14:58 ` Gáspár Lajos
2008-11-27 16:10 ` JC Janos
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox