Security

[Charles Steinkuehler]

> > Was this using the packet-fragment trick, to overwrite portions of the
IP
> > header, or some other trick?
>
> No, we set the ACK flags to trick the firewall into thinking it was an
> acknowlagement to a previous request.
>
> > Out of curiosity, what sort of firewall were you running when testing
> this?
>
> IPChains, CISCO Access Lists and the XP firewall is all we used it
against.
> We're going to move up the sophistication level of the targets next week.

Sounds like fun...I play with tiny linux firewalls, geared to boot off
floppy or CD, and run out of a ramdisk:

http://lrp.steinkuehler.net/

It's designed to be easy for linux newbies to use, but is pretty flexible,
as well.  I've got the CD-ROM version running as my firewall/router,
providing a 5 port router (upstream link, 3 seperate proxy-arp'd DMZ's, and
a masqueraded internal network), as well as VPN gateway functionality
(FreeS/WAN IPSec).

> > If the firewall was linux based, did you try setting the above flag and
> > seeing what happened?
>
> No, I didn't set the above flag.  I will.  Thanks for the suggestion.  Of
> course, you're right.  If the firewall itself reassembles the packets
before
> it examines them then the method is useless.  Also, if you're using a
> stateful firewall the ACK method is useless as well.  Unfortunately, the
> home gateway products (like the Linksys, and Dlink) are neither of these.

The ip_always_defrag flag breaks RFC's, so shouldn't be used on a device
with connections to the internet on both sides (ie a back-bone router or
similar), but it works fine when you've got complete control of the "near"
side of the network (ie most firewall environments, which is really where
you care about fragment attacks anyway).

Also curious...have you guys played with bypassing NAT translation to
port-scan internal masqeraded systems?  If so, how sophisticated are the
tools to do this?  I'm wondering how worried I should be about this form of
attack...

Charles Steinkuehler
cstein at newtek.com