"Johnson, Carl" wrote:
>
> I'm seeing some bad stuff on a Cisco PIX firewall. Sometimes the
> firewall will completely slow to a crawl. The console output will show
> nothing but the following error message displayed over and over:
>
> fh_insertb: too many connections(12) in set
>
> Cisco web site says that:
>
> "IP packets fragmented into more than 12 elements cannot pass through the
> PIX Firewall. When detected, the following console message appears:"
> (above error message is then listed)
<snip>
> Talking with Cisco, they say that the PIX is simply being overloaded
> by these fragments and there's nothing that can be done on the PIX. It
> has to be blocked upstream. What I'm trying to determine is:
>
> 1. If this is correct.
> 2. How to block it upstream on a Cisco router on a basis other than
> source IP.
Humm, sounds like the same thing Checkpoint said about FW-1 getting
overloaded by this traffic pattern a month or two ago. ;)
The problem is these packets can be spoofed. This means you can not
filter based on source IP. You have two options:
1) Trace back the connection to the attacking host and stop them
2) Install a device to block this traffic that does not overload so
easily
Option #1 is difficult at best as it probably requires a coordinated
effort between multiple ISP's. Even then you may find that there are
multiple sources which makes the whole process that much more difficult.
As for option #2, I've tested both IPTables and IPFilter up to about 30
Mb of frags per second and both handled the traffic like a champ. Don't
know if putting a firewall in front of your firewall is an option, but I
deployed this for a few places because of a similar problem with FW-1
and it did the trick. Also, I don't know your bandwidth requirements.
Both firewalls may continue to do well above 30 Mb, I just didn't test
them any higher.
> Intrusion detection systems are an option
Actually, all this will do is detect the fragment condition. It can not
help to save your firewall.
> but I was wondering if anyone
> has any suggestions on how to put in a filter on a Cisco router to filter
> fragments (or at least large numbers of them).
Dug through this for Lance before he released the FW-1 fragment DoS to
try and come up with a better fix than the kluge that CP released. I did
not have any luck. If someone does I would love to hear it. :)
> It seems like simply
> blocking all fragments is a bad idea of course.
Yes but if the tool in question is what I think it is (jolt2) the
fragments are illegal (not a multiple of 8) so it should be trivial to
clue in on them. Unfortunately, I could not find a way to do this in
Cisco IOS.
> Thank you very much for any insight!
I know the above is not what you wanted to hear, but its the best I've
been able to come up with.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
