In my previous post I showed what a SYN flood and SYN scan was. The ability to determine open ports rather silently and not trigger alarms may have raised the eyebrows of some. I mentioned that Stateful Packet Inspection and Firewalls can stop this. Certain logging applications can alarm on SYN and SYN/ACK without an ACK.
Queue holy music and the clouds parting. Today I will deploy some protection with the SRX110. So without a screen this is what happens when I launch a SYN scan against my SRX. Time to fight back.
dreamspike:~ pandom_$ sudo nmap -sS 192.168.1.200 Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-20 21:28 EST Nmap scan report for 192.168.1.200 Host is up (0.0029s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh MAC Address: B0:A8:6E:66:E2:00 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds dreamspike:~ pandom_$
As you can see you can see the service that is running on it. Good old SSH. Well I don’t want people to just scan my untrusted interface and decipher what is running. I am going to ensure that I can control the amount of information I give up freely. I am not going down without a fight.
The following screen can be put in place. I have applied it to my untrust security zone.
set security screen ids-option untrust-screen tcp syn-flood
Now to check and confirm configuration.
[email protected]> show configuration security screen ids-option untrust-screen icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-ack-ack-proxy threshold 100; syn-flood; } land; }
Okay. Lets launch nmap again. How do you think this will go?
telaranrhiod:~ pandom$ sudo nmap -sS 192.168.1.200 Password: Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-21 09:45 EST Nmap scan report for 192.168.1.200 Host is up (0.0041s latency). Not shown: 792 filtered ports PORT STATE SERVICE 4/tcp open unknown 7/tcp open echo 9/tcp open discard 22/tcp open ssh 32/tcp open unknown 37/tcp open time 43/tcp open whois 70/tcp open gopher 89/tcp open su-mit-tg 161/tcp open snmp 254/tcp open unknown 264/tcp open bgmp 301/tcp open unknown 407/tcp open timbuktu 417/tcp open onmux 512/tcp open exec 544/tcp open kshell 545/tcp open ekshell 631/tcp open ipp 666/tcp open doom 668/tcp open mecomm 687/tcp open asipregistry 691/tcp open resvc 705/tcp open agentx 714/tcp open iris-xpcs 720/tcp open unknown 722/tcp open unknown 783/tcp open spamassassin 900/tcp open omginitialrefs 1021/tcp open exp1 1022/tcp open exp2 1028/tcp open unknown 1031/tcp open iad2 1033/tcp open netinfo 1034/tcp open zincite-a 1036/tcp open nsstp 1040/tcp open netsaint 1042/tcp open afrog 1045/tcp open fpitp 1049/tcp open td-postman 1052/tcp open ddt 1056/tcp open vfo 1062/tcp open veracity 1065/tcp open syscomlan 1067/tcp open instl_boots 1068/tcp open instl_bootc 1071/tcp open bsquare-voip 1082/tcp open amt-esd-prot 1084/tcp open ansoft-lm-2 1090/tcp open ff-fms 1121/tcp open rmpp 1124/tcp open hpvmmcontrol 1151/tcp open unizensus 1187/tcp open alias 1199/tcp open dmidi 1213/tcp open mpc-lifenet 1236/tcp open bvcontrol 1272/tcp open cspmlockmgr 1461/tcp open ibm_wrless_lan 1521/tcp open oracle 1580/tcp open tn-tl-r1 1583/tcp open simbaexpress 1700/tcp open mps-raft 1717/tcp open fj-hdnet 1719/tcp open h323gatestat 1721/tcp open caicci 1801/tcp open msmq 1812/tcp open radius 1862/tcp open mysql-cm-agent 1863/tcp open msnp 1900/tcp open upnp 1914/tcp open elm-momentum 1974/tcp open drp 1999/tcp open tcp-id-port 2000/tcp open cisco-sccp 2010/tcp open search 2020/tcp open xinupageserver 2035/tcp open imsldoc 2045/tcp open cdfunc 2046/tcp open sdfunc 2048/tcp open dls-monitor 2068/tcp open advocentkvm 2100/tcp open amiganetfs 2103/tcp open zephyr-clt 2107/tcp open msmq-mgmt 2179/tcp open vmrdp 2190/tcp open tivoconnect 2288/tcp open netml 2366/tcp open qip-login 2710/tcp open sso-service 2875/tcp open dxmessagebase2 2910/tcp open tdaccess 2968/tcp open enpp 3005/tcp open deslogin 3017/tcp open event_listener 3077/tcp open orbix-loc-ssl 3128/tcp open squid-http 3211/tcp open avsecuremgmt 3300/tcp open unknown 3323/tcp open active-net 3372/tcp open msdtc 3390/tcp open dsc 3690/tcp open svn 3784/tcp open bfd-control 3827/tcp open netmpi 3871/tcp open avocent-adsap 3878/tcp open fotogcad 3889/tcp open dandv-tester 3945/tcp open emcads 4002/tcp open mlchat-proxy 4126/tcp open ddrepl 4279/tcp open vrml-multi-use 4444/tcp open krb524 4445/tcp open upnotifyp 4446/tcp open n1-fwp 4567/tcp open tram 4899/tcp open radmin 5000/tcp open upnp 5001/tcp open commplex-link 5003/tcp open filemaker 5009/tcp open airport-admin 5054/tcp open rlm-admin 5087/tcp open unknown 5200/tcp open targus-getdata 5214/tcp open unknown 5226/tcp open hp-status 5405/tcp open pcduo 5431/tcp open park-agent 5500/tcp open hotline 5550/tcp open sdadmind 5560/tcp open isqlplus 5631/tcp open pcanywheredata 5633/tcp open beorl 5678/tcp open rrac 5801/tcp open vnc-http-1 5859/tcp open wherehoo 5862/tcp open unknown 6004/tcp open X11:4 6006/tcp open X11:6 6100/tcp open synchronet-db 6123/tcp open backup-express 6510/tcp open mcer-port 6580/tcp open parsec-master 6646/tcp open unknown 6667/tcp open irc 6692/tcp open unknown 6788/tcp open smc-http 7004/tcp open afs3-kaserver 7103/tcp open unknown 7106/tcp open unknown 7201/tcp open dlip 7443/tcp open oracleas-https 7741/tcp open scriptview 7800/tcp open asr 7938/tcp open lgtomapper 8011/tcp open unknown 8021/tcp open ftp-proxy 8022/tcp open oa-system 8081/tcp open blackice-icecap 8085/tcp open unknown 8090/tcp open unknown 8222/tcp open unknown 8333/tcp open unknown 8443/tcp open https-alt 8701/tcp open unknown 8899/tcp open ospf-lite 8994/tcp open unknown 9050/tcp open tor-socks 9080/tcp open glrpc 9207/tcp open wap-vcal-s 9290/tcp open unknown 9418/tcp open git 9502/tcp open unknown 9535/tcp open man 9593/tcp open cba8 9618/tcp open condor 9929/tcp open nping-echo 10012/tcp open unknown 10566/tcp open unknown 11111/tcp open vce 13782/tcp open netbackup 15004/tcp open unknown 15742/tcp open unknown 16080/tcp open osxwebadmin 16992/tcp open amt-soap-http 19283/tcp open keysrvr 19350/tcp open unknown 19842/tcp open unknown 20222/tcp open ipulse-ics 24800/tcp open unknown 25735/tcp open unknown 27353/tcp open unknown 27715/tcp open unknown 30000/tcp open unknown 30951/tcp open unknown 31038/tcp open unknown 32769/tcp open filenet-rpc 32777/tcp open sometimes-rpc17 34573/tcp open unknown 35500/tcp open unknown 48080/tcp open unknown 49154/tcp open unknown 49400/tcp open compaqdiag 51103/tcp open unknown 52848/tcp open unknown 54045/tcp open unknown 56737/tcp open unknown 65129/tcp open unknown MAC Address: B0:A8:6E:66:E2:00 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 34.67 seconds telaranrhiod:~ pandom$
Phwoar. Look at all the breadcrumbs and honeypots. If that was the response I got from a scan I’d be shaking my head. Where to start? What vulnerability to address? For an attacker, the return on investment is money vs time. How much money will they get for the time they spend attacking? The results above will slow an attacker down. Remember though, this is NOT the only way to discover ports. This may be the quietest way but certainly not the only way.
[email protected]> show security screen statistics zone untrust Screen statistics: IDS attack type Statistics ICMP flood 0 UDP flood 0 TCP winnuke 0 TCP port scan 0 ICMP address sweep 0 TCP sweep 0 UDP sweep 0 IP tear drop 0 TCP SYN flood 13377 IP spoofing 0 ICMP ping of death 0 IP source route option 0 TCP land attack 0 TCP SYN fragment 0 TCP no flag 0 IP unknown protocol 0 IP bad options 0 IP record route option 0 IP timestamp option 0 IP security option 0 IP loose source route option 0 IP strict source route option 0 IP stream option 0 ICMP fragment 0 ICMP large packet 0 TCP SYN FIN 0 TCP FIN no ACK 0 Source session limit 0 TCP SYN-ACK-ACK proxy 0 IP block fragment 0 Destination session limit 0
Above output shows 13377 hits of SYN SYN/ACK without an ACK have occurred on the untrust screen. Verification is important but also Controlling options is paramount. You must remember that understanding what traverses your network is critical to understanding security risks and mitigating them.
A security engineer must consider that illegitimate TCP SYN requests en masse constitutes a denial of service attack. To accurately control traffic without dropping legitimate TCP sessions an understanding of expected TCP session is important.
The SRX has many options to control SYN floods under the screens particular option. They range from source and destination to attack thresholds. It is important to understand the difference. Source and Destination thresholds can be very bad. They will drop any TCP session, legitimate or illegitimate, once the threshold is reached. The difference between Source and Destination and attack thresholds is the following. An attack threshold, once reached, will proxy SYN-ACK replies to SYN requests to an attempt to determine legitimate TCP connections.
Now let us look at the system defaults before we go change stuff. Juniper has applied these defaults for the SRX110. These change per platform.
[email protected]> show security screen ids-option untrust-screen Screen object status: Name Value IP tear drop enabled TCP SYN flood attack threshold 200 TCP SYN flood alarm threshold 512 TCP SYN flood source threshold 4000 TCP SYN flood destination threshold 50 TCP SYN flood timeout 20 ICMP ping of death enabled IP source route option enabled TCP land attack enabled TCP SYN-ACK-ACK proxy threshold 100
The commands above put limits on packets per second. If they need to be tweaked that can be done like below. If you are worried about half-open sessions filling up your firewalls connection table then reduce the timeout period from the default of 20 to 10.
set security screen ids-option untrust-screen tcp syn-flood timeout 10 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1500 set security screen ids-option untrust-screen tcp syn-flood source-threshold 3200 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 8000
I cannot stress enough the importance of understanding the traffic flows and baseline information when adjusting the SYN thresholds on source and destination. Simple deployment for effective results. If you are not careful, it could be too effective. After all, a SYN flood won’t occur if you have a crippled network segment due to aggressive thresholds.
Hey Dude.
I noted on twitter to use a CP filter as the initial part of your post mentioned “Well I don’t want people to just scan my untrusted interface and decipher what is running”
You would construct a CP filter in which only trusted source IP ranges were allowed in on certain protocols on the untrusted interface. i.e. you would only allow inbound SSH from a trusted source IP range. Hence if someone scanned on your untrusted interface from a range not in your trusted source, they would never even know that port was open.
In fact your CP filter should be constructed so that only known legitimate traffic would ever come inbound. Anyone scanning your interface would only see legitimate services responding to them. Of course nothing really should be open to them.
Of course transit traffic is handled differently. The above is only for services running and responding on the firewall itself.
The great thing about junos as well is that it allows you to use something called apply-paths which pulls IP addresses directly from other parts of the configuration. As an example on my edge Junipers I have an apply-path statement that only allows BGP inbound form an apply-path statement that matched any configured BGP peer. This means the filter automatically allowed a newly configured neighour in, and blocks any peer that I de-configure (is that a word?)
You can of course also police syn packets inbound to the CP. Same as ICMP or any other packet.
But yes, this is all for traffic going to the device itself, but you did mention the statement I noted above so assumed this is what you were blocking 🙂
Thank you for the detailed reply. My initial post was looking at scanning in general and evolved to defending against it in Juniper. I might throw some ASA in to balance it out.
When doing this I didnt really think to apply a CP filter. I feel a follow up blog coming on.
Thanks for taking the time to read and follow up with the comment.
Ant.
I absolutely love your detailled blog posts.
Very informative, especially when others (ie Darren O’Connor 😉 ) add to your posts 🙂
Can’t wait what’s next in 2013 😀
Thanks. Glad you enjoy. Yes – having community interaction is awesome. Allows better discussion to take place. Learning is one thing, applying it in a real world situation is another.
2013, I hope will contain a lot of cool blogs. I hit 50,000 hits this year and 2013 I hope for 100,000.