Cisco Systems Inc. Information for VU#539363

State-based firewalls fail to effectively manage session table resource exhaustion

Status

Affected

Vendor Statement

The Cisco PIX and Cisco IOS firewall provides users with many configurable features to effectively manage the session tables and are not vulnerable to resource exhaustion when configured appropriately.

PIX specific information:
------------------------
The PIX provides the ability to defend against a TCP flood attack by using the TCP Intercept feature which leverages SYN Cookies. The PIX SYN Cookie implementation is stateless and does not need to maintain states when responding to a TCP SYN flood and thus does not require having a more aggressive timeout. This enhanced TCP intercept functionality is available in all of the latest PIX maintenance releases: 6.2(2), 6.1(4),6.0(4) and 5.2(9)

The PIX is not vulnerable to an ACK attack as it requires a SYN to initiate a session.

The PIX has the Reverse-Path-Forwarding feature which ensures that the source IP addresses presented to the PIX have reached the PIX from a legitimate interface and thus are not spoofed.

The PIX has configurable timeout values for UDP traffic and also for specific UDP protocols like SIP, RPC, RTP, etc.

The security features available on the PIX to guard against a SYN flood or a UDP flood also address the Crikey CRC flood. The PIX TCP Intercept feature will prevent the Crikey CRC flood packets from reaching the server in the same way it protects against the TCP SYN flood.

One should always use Access Lists to limit the traffic to only allow valid traffic to reach one's network.


IOS FW specific information:
---------------------------
TCP SYN flood protection
- half-open sessions time out in 30 seconds (default). Can be configured to a smaller value or higher value
- configurable limit on maximum number of half-open sessions at a given time
- full-open sessions time out in 3600 seconds (default) Can be configured to a smaller value or higher value

UDP flood protection
- one way UDP is considered to be a half-open session
- half-open sessions time out in 30 seconds (default). Can be configured to a smaller value or higher value
- configurable limit on maximum number of half-open sessions at a given time
- all UDP sessions time out after 30 second of inactivity including full-open sessions. Can be configured to a smaller value or higher value

Crikey flood protection
- No special protection (IOS FW does not validate checksum)
- If the Layer 4 checksum in wrong in a SYN packet, or the initial UDP packet then the session will remain half-open and the above described mechanisms will take effect.

The IOS FW has features to detect and block flood traffic that are automatically turned on, with appropriate default values, when the IOS FW is activated. IOS FW CLI cmds to configure these features are:
- ip inspect max-incomplete high/low
- ip inspect one-minute high/low
- ip inspect tcp max-incomplete <num> block <minutes>

The IOS FW in the latest versions of code dynamically allocates memory for session state tables.

The IOS FW uses separate timeout values for initial sessions -
- half-open sessions have an idle timeout of 30 seconds.
- full-open TCP sessions have an idle timeout of 3600 seconds.
- full-open UDP sessions have an idle timeout of 30 seconds.
- DNS UDP sessions are treated specially and have an idle timeout of 5 seconds instead of 30 seconds.
- TCP sessions have a fin-wait timeout of 5 seconds for closing sessions.
- half-open and full-open idle timeouts can be configured to different values.

Full-open sessions can have configurable timeouts based on each supported application, e.g. FTP full-open idle timeout can be configured differently from SMTP full-open idle timeout.

The IOS FW allows for individually configuring supported protocol's which need their connections tracked. One can choose to turn on or turn off tracking for any supported protocol.

The IOS FW has a feature in the works which would allow one to delete selected or all sessions in the state table with a CLI command.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.