-----BEGIN PGP SIGNED MESSAGE-----
On August 19, 1998, a BUGTRAQ subscriber posted a description of a
fragmentation-based denial of service attack against hosts protected by
Cisco PIX firewalls. This attack exploits resource management
vulnerabilities in the IP stacks on the protected hosts. The attack in
question is a standard one, common to the PIX firewall and to many
other packet filtering devices.
This vulnerability is real, and has been assigned Cisco bug ID
CSCdk36273. Although we believe that the practical impact of the attack
may be less than the original poster implied, we have made changes to
the PIX firewall software to improve its behavior in the face of
fragmented packets. Specifically,
o Interfragment state will be kept. A non-initial fragment will be
discarded unless the corresponding initial fragment was permitted
to pass through the firewall. Non-initial fragments received before
the corresponding initial fragments will be discarded.
o The amount of memory dedicated to fragment state will be limited
in order to avoid the obvious denial of service attacks against
the PIX firewall itself.
o Fragments received for statically configured NAT addresses without
conduits will be dropped as other unsolicited packets are.
o Fragments will be checked for certain overwrite attacks.
These changes are undergoing quality assurance testing, and will be
released in Cisco PIX firewall software release 4.2.2, which is
tentatively scheduled for mid-September. We do not believe that our
customers are critically exposed at this time, especially if they have
followed our configuration recommendations for their PIX firewalls. If
an actual attack is staged against any of our customers using this
vulnerability, we are prepared to offer tactical support.
Although these changes address the immediate problem, we are reexamining
the handling of IP fragments in the PIX firewall and in our other
firewall products. We hope to improve on the present changes in terms of
robustness and performance in cases where fragments are legitimately
delivered out of order, and to improve the resistance of our firewalls
against a variety of other potential fragmentation attacks.
We will be issuing a formal security notice regarding this problem
within the next two weeks.
-- J. Bashinski
for Cisco Systems' Product Security
Incident Response Team
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNeY9Y3LSeEveylnrAQEURAf/YIcO1uTnhyhcxbUC0i97ARKhbbxsivxJ
Cum5e9GhHNuaqr/YCo84bkMjM1mDI+Mj+xf4NeAbGIjboGkbPJNHARqUIzLU92gN
4u8euq+Pe8jQoXijcuBiVOx9amQW9GdfQRR5y/I/Ud+zjp45xqdybn8KWXd64yBL
DBmSEp9iicy1SaSDvyvdPjUKu5BGuj00vxyASuhZ4s7ERAvpsz2JpxXQoP9M/g/k
UNWbad0WEjSlgReAxEyncwrOOkh8DfWoiLIYKppMwNvUdjZT74fyV8QkVyH2vvbC
gqKJ8SdQFumUqh1OkRnzimFo7skjXDXp0ZM5NhRU9rcfS2ogE4Pv3A==
=bJpf
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:54 PDT