Re: IE Vol I - CBAC for DoS protection : Why does this work ?!?

From: Theo M (theorack@gmail.com)
Date: Tue Nov 20 2007 - 06:17:29 ART

• Next message: vignesh sethuraman: "backup interface"
• Previous message: Gary Duncanson: "UK training providers"
• Maybe in reply to: Theo M: "IE Vol I - CBAC for DoS protection : Why does this work ?!?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Firewall ACL Bypass (FAB) was the culprit !!!
Here is the link for this feature:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d33da.html

--
On Nov 19, 2007 11:21 PM, Theo M <theorack@gmail.com> wrote:
> Hello,
>
> This is about the Port-Mapping w/ CBAC (PAM = Port-to-Application
> Mapping, Cisco IOS Firewall Port to Application Mapping (PAM)
> feature):
> "for these particular sources, these particular ports are to be
> treated by these specific Inspect protocol modules"
>
>  Notice that the INSIDE ACL(in) on E2/0 doesn't block us from
> telnetting from R5::s0/1[155.1.45.5] to R4::Lo0:1023[150.1.4.4:1023],
> (in fact to 10.0.0.1:23, due to our Static PAT).
>
>  Why is that ?!? ACLz ignore locally-generated traffic on output, but
> NOT on input !!!
>  How do we bypass the INSIDE ACL(in) on E2/0 ?!? See config & debugs
below...
>
>
>  The Order of Operations for o->i should be NAT/Inspect/Routing, and
> for i->o should be Routing/NAT/Inspect, which seems to be the case.
>  If dynamic entries are added to ACL(in) INSIDE, why can't we actually
> see them ?
>  If no dynamic entries are added, how come our telnet works ?!?
>
> >>>
> Rack1R4#sh run
> Building configuration...
>
> Current configuration : 2453 bytes
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Rack1R4
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 65535 debugging
> enable password cisco
> !
> no aaa new-model
> memory-size iomem 15
> !
> !
> ip cef
> no ip domain lookup
> !
> !
> ip port-map telnet port tcp 1023 list 99 description TELNET
> ip port-map telnet port tcp 6023 list 99 description TELNET
> ip inspect name IT telnet
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
>  ip address 150.1.4.4 255.255.255.0
>  ip ospf network point-to-point
> !
> interface Serial0/0
>  no ip address
>  encapsulation frame-relay
>  no ip route-cache cef
>  no ip route-cache
> !
> interface Serial0/0.1 point-to-point
>  ip address 155.1.0.4 255.255.255.0
>  ip nat outside
>  ip inspect IT in
>  ip virtual-reassembly
>  no ip route-cache
>  frame-relay interface-dlci 405
> !
> interface Serial0/1
>  ip address 155.1.45.4 255.255.255.0
>  ip nat outside
>  ip inspect IT in
>  ip virtual-reassembly
>  no ip route-cache cef
>  no ip route-cache
>  clock rate 64000
> !
> interface Serial0/2
>  no ip address
>  shutdown
> !
> interface Serial0/3
>  no ip address
>  shutdown
> !
> interface Ethernet1/0
>  no ip address
>  shutdown
>  half-duplex
> !
> interface Ethernet2/0
>  ip address 10.0.0.4 255.255.255.0
>  ip access-group INSIDE in
>  ip nat inside
>  ip virtual-reassembly
>  no ip route-cache cef
>  no ip route-cache
>  half-duplex
> !
> router ospf 1
>  router-id 150.1.4.4
>  log-adjacency-changes
>  network 150.1.4.4 0.0.0.0 area 0
>  network 155.1.0.4 0.0.0.0 area 0
>  network 155.1.45.4 0.0.0.0 area 0
> !
> router bgp 1
>  no synchronization
>  bgp router-id 150.1.4.4
>  bgp log-neighbor-changes
>  neighbor 150.1.5.5 remote-as 2
>  neighbor 150.1.5.5 ebgp-multihop 255
>  neighbor 150.1.5.5 update-source Loopback0
>  no auto-summary
> !
> no ip http server
> no ip http secure-server
> !
> !
> ip nat inside source static tcp 10.0.0.6 23 interface Loopback0 6023
> ip nat inside source static tcp 10.0.0.1 23 interface Loopback0 1023
> !
> !
> ip access-list extended INSIDE
>  deny   ip any any
> access-list 99 permit 10.0.0.0 0.0.0.255
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
>  exec-timeout 0 0
>  privilege level 15
>  logging synchronous
>  history size 256
> line aux 0
>  privilege level 15
> line vty 0 4
>  password cisco
>  login
> line vty 5 871
>  login
> !
> !
> end
> Rack1R4#
> === NAT o->i
> *Nov 19 22:52:54.747: NAT*: o: tcp (155.1.45.5, 57839) -> (150.1.4.4,
> 1023) [25313]
> *Nov 19 22:52:54.747: NAT*: o: tcp (155.1.45.5, 57839) -> (150.1.4.4,
> 1023) [25313]
> *Nov 19 22:52:54.747: NAT*: TCP s=57839, d=1023->23
> *Nov 19 22:52:54.747: NAT*: s=155.1.45.5, d=150.1.4.4->10.0.0.1 [25313]
> === Routing, 1st part, o->i
> *Nov 19 22:52:54.747: IP: tableid=0, s=155.1.45.5 (Serial0/0.1),
> d=10.0.0.1 (Ethernet2/0), routed via FIB
> === CBAC on input, R5::s0/1
> *Nov 19 22:52:54.751: CBAC sis 6486F7FC pak 642FF914 SIS_CLOSED/LISTEN
> TCP SYN SEQ 470345209 LEN 0 (155.1.45.5:57839) => (10.0.0.1:23)
> === Routing, 2nd part, o->i ( why is the CBAC debug in the middle of
> the Routing debug ?!?)
> *Nov 19 22:52:54.751: IP: s=155.1.45.5 (Serial0/0.1), d=10.0.0.1
> (Ethernet2/0), g=10.0.0.1, len 44, forward
> *Nov 19 22:52:54.751:     TCP src=57839, dst=23, seq=470345209, ack=0,
> win=4128 SYN
> === Routing, 1st part, i->o
> *Nov 19 22:52:54.755: IP: tableid=0, s=10.0.0.1 (Ethernet2/0),
> d=155.1.45.5 (Serial0/1), routed via FIB
> === NAT i->o
> *Nov 19 22:52:54.755: NAT: i: tcp (10.0.0.1, 23) -> (155.1.45.5,
> 57839) [63730]
> *Nov 19 22:52:54.755: NAT: TCP s=23->1023, d=57839
> *Nov 19 22:52:54.755: NAT: s=10.0.0.1->150.1.4.4, d=155.1.45.5 [63730]
> === CBAC on output, R5::s0/1
> *Nov 19 22:52:54.755: CBAC sis 6486F7FC pak 647D2F7C
> SIS_OPENING/SYNSENT TCP SYN ACK 470345210 SEQ 562784150 LEN 0
> (150.1.4.4:1023) <= (155.1.45.5:57839)
> === Routing, 2st part, i->o ( why is the CBAC debug in the middle of
> the Routing debug ?!?)
> *Nov 19 22:52:54.759: IP: s=150.1.4.4 (Ethernet2/0), d=155.1.45.5
> (Serial0/1), g=155.1.45.5, len 44, forward
> *Nov 19 22:52:54.759:     TCP src=1023, dst=57839, seq=562784150,
> ack=470345210, win=4128 ACK SYN
> Rack1R4#
> Rack1R4#sh deb
> Generic IP:
>   IP packet debugging is on (detailed)
>   IP NAT detailed debugging is on
> Inspection:
>   INSPECT special events debugging is on
>   INSPECT TCP Inspection debugging is on
>
> Rack1R4#
> <<<
>
>
> Update:
>
> However, if we use a standard ACL, access-list 22, like below, instead
> of INSIDE, the telnet connection gets dropped on input, on E2/0:\
>
> >>>
> Rack1R4#sh run int e2/0
> Building configuration...
>
> Current configuration : 184 bytes
> !
> interface Ethernet2/0
>  ip address 10.0.0.4 255.255.255.0
>  ip access-group INSIDE in
>  ip nat inside
>  ip virtual-reassembly
>  no ip route-cache cef
>  no ip route-cache
>  half-duplex
> end
>
> Rack1R4#sh access-lists
> Standard IP access list 22
>     10 deny   any (8 matches)
> Standard IP access list 99
>     10 permit 10.0.0.0, wildcard bits 0.0.0.255
> Extended IP access list INSIDE
>     10 deny ip any any
> Rack1R4#
> <<<
>
> Any ideas ?!?
>
> --

• Next message: vignesh sethuraman: "backup interface"
• Previous message: Gary Duncanson: "UK training providers"
• Maybe in reply to: Theo M: "IE Vol I - CBAC for DoS protection : Why does this work ?!?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:30 ART