From: Tim (tim-pentest@sentinelchicken.org)
Date: Thu Apr 05 2007 - 21:38:08 EDT
Hello,
I looked into this question as a part of some research, and came to some
conclusions on it for myself. I will use Paul's email below to help me
put it into context.
> A 'reject' action on a firewall really means that you send an ICMP
> 3:3* (destination/port unreachable) message back to the source.
Not necessarily true. I believe the typical closed port response for
TCP is a TCP reset. Your statement is true for UDP though.
> Best
> practice for this is to use drop unless there's a specific need for
> the source to receive an ICMP reject message. Using reject
> incorrectly can make your firewall a pawn on DoS attacks by spoofing
> ICMP or DNS traffic to it.
I used to believe this as well. However, when you think specifically
about the DoS attack issue, the chances are your network is going to
expose at least one TCP port to the outside world, for instance. If you
do, then an attacker can use you for reflected TCP handshake
amplification on that port. You won't be able to do much to stop it, in
all likelihood, and it doesn't matter if all of your blocked ports send
out one RST. The attacker won't bother using it, since he gets better
amplification on the open port. On the UDP side, things may be slightly
different, but I suspect not greatly so.
> As far as giving away information, your firewall will probably be
> detected but also assumed by attackers. Your firewall policy should
> be to deny all traffic except for the [small number of] services that
> you need to allow through. This shouldn't be any big deal. No worse
> than ICMP timestamps being allowed on your routers, for example.
My research was specifically focused on information leakage through TCP
port scanning. After modeling the various scenarios (SYN stealth
scanning, spoofed SYNs, spoofed SYNs through an idle scan, etc), I found
that the best strategy for the defender is to always return a RST on
blocked ports. This is because it will eliminate the attacker's ability
to use an idle scan to obtain port information without giving away her
IP address.
Keep in mind, that you must be very careful about how the RSTs are sent
back, and this isn't the only consideration. Also, this applies only to
TCP since idle scans are generally a TCP-only attack. Food for thought
though.
> Also, the fact that you're asking about drop vs. reject tells me that
> there's a good probability that your firewall is either Check Point or
> iptables. Recon is easy. Get over it. The best thing to do is to
> harden your network against attack assuming that those details are
> publicly available.
Yeah, if I were you, I wouldn't worry too much about someone profiling
your firewall. Just be sure you understand exactly what your firewall
is doing, and keep it patched.
HTH,
tim
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT