Typically, a network-forwarding device such as a router or switch does not reassemble the fragmented packets that it receives. Usually the destination host reconstructs the fragmented packets when they all arrive. However, passing fragmented packets through a firewall is insecure. An attacker can intentionally break up packets to conceal traffic strings that the firewall otherwise would detect and block and use fragmented packets for DOS attacks. To combat this, any non-initial fragment will be discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments will be discarded. This eliminates the possibility of overloading host resources with unmatched non-initial fragments, and requires attackers to use relatively elaborate address spoofing for attacks using unmatched initial fragments.
On Cisco router, starting at 12.3.8T, the Virtual Fragmentation Reassembly feature helps protect against various fragmentation attacks.
Using the ACL is shown here: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml
Look at the example closely to have a better understanding:
access-list 101 deny ip any host 171.16.23.1 fragments
access-list 101 permit tcp any host 171.16.23.1 eq 80
access-list 101 deny ip any any
ACL 101 does not allow non-initial fragments through to the server because of the first line. A non-initial fragment to the server is denied when it encounters the first ACL line because the Layer 3 information in the packet matches the Layer 3 information in the ACL line.
Initial or non-fragments to port 80 on the server also match the first line of the ACL for Layer 3 information, but because the fragments keyword is present, the next ACL entry (the second line) is processed. The second line of the ACL permits the initial or non-fragments because they match the ACL line for Layer 3 and Layer 4 information.
Non-initial fragments destined to the TCP ports of other hosts on the 171.16.23.0 network are blocked by this ACL. The Layer 3 information in these packets does not match the Layer 3 information in the first ACL line, so the next ACL line is processed. The Layer 3 information in these packets does not match the Layer 3 information in the second ACL line either, so the third ACL line is processed. The third line is implicit and denies all traffic.
ACL 101 permits only non-fragmented HTTP flows to the server
By default, the Cisco ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. To set disallow fragments, enter the following command:
ASA1(config)# fragment chain 1 [interface_name]
3. Network reconnaissance attacks
4. IP spoofing attacks
5. MAC spoofing attacks
6. ARP spoofing attacks
7. Denial of Service (DoS) attacks
8. Distributed Denial of Service (DDoS) attacks
There is a good article here: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html on DDOS. Since this article focus on the CCIE Lab exam hardware and software, I won't go much into the Cisco DDOS Mitigation system using the Cisco Guard XT line of product.
9. Man-in-the-Middle (MiM) attacks
10. Port redirection attacks
11. DHCP attacks
12. DNS attacks
13. Smurf attacks
14. SYN attacks
15. MAC Flooding attacks
16. VLAN hopping attacks
17. Layer2 and Layer3 attacks
No comments:
Post a Comment