23562 – Security Guide iptables config does not protect against floods

Bug 23562 - Security Guide iptables config does not protect against floods

Summary: Security Guide iptables config does not protect against floods

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs-user
Classification:	Unclassified
Component:	Gentoo Security Guide (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	26705
	Show dependency tree

Reported:	2003-06-26 22:54 UTC by Carl A. Dunham
Modified:	2003-08-17 01:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carl A. Dunham 2003-06-26 22:54:31 UTC

Sections of the example /etc/init.d/filrewall contain lines like: 
 
#Flood protection 
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \  
      ALL RST --dport ssh -j ACCEPT 
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \  
      ALL FIN --dport ssh -j ACCEPT 
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \  
      ALL SYN --dport ssh -j ACCEPT 
  $IPTABLES -A allow-ssh-traffic-in -p tcp --dport ssh -j ACCEPT 
 
which are intended to limit SYN, FIN and RST floods. However, the final ACCEPT in the chain defeats 
the whole purpose. 

Reproducible: Always
Steps to Reproduce:
1. Load the iptables rules in the example (/etc/init.d/firewall start) 
2. hping --fast --syn (or --rst or --fin) --destport <port> <host> 
3.  
Actual Results:  
All packets have been delivered 

Expected Results:  
Only 1/second should be allowed (mod bursting)

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2003-08-15 08:02:32 UTC

I'll take the security-guide bugs

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2003-08-16 02:50:42 UTC

Would substituting 

"""
$IPTABLES -A allow-ssh-traffic-in -p tcp --dport ssh -j ACCEPT
"""

with

"""
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
"""

suffice? SYN's aren't accepted since the connection isn't established yet; FIN's would, but once the connection is closed it doesn't do any more harm.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2003-08-16 05:46:45 UTC

Proposed fix, part of #26705:

@@ -2565,7 +2583,7 @@
       ALL FIN --dport ssh -j ACCEPT
   $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ 
       ALL SYN --dport ssh -j ACCEPT
-  $IPTABLES -A allow-ssh-traffic-in -p tcp --dport ssh -j ACCEPT
+  $IPTABLES -A allow-ssh-traffic-in -p tcp --dport ssh -j DROP
 
   #outgoing traffic
   einfo "Creating outgoing ssh traffic chain"

Comment 4 Carl A. Dunham 2003-08-16 18:15:18 UTC

wrt to Comment #2, I'm not sure what the potential harm of a "FIN Flood" would 
be on an already-closed connection. For that matter a "RST Flood" would 
probably fall into the same category. It wouldn't have the same damage of 
leaving state machines in long-term waiting states, like a SYN flood, but it 
would take som processing time (as would processing rules, so a wash?) 
 
The fix in Comment #3 seems broken, unless you also include the fix in Comment 
#2. Otherwise, you end up dropping all traffic to these ports, other than 
rate-limited SYN, FIN and RST packets. Perhaps if the allowed-connection chain 
was run earlier, that would also work...

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2003-08-17 01:20:21 UTC

okay, using the first fix instead of the second...

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2003-08-17 01:42:37 UTC

Committed