Pruebas de límites de conexiones TCP por host

Fecha: 16 de agosto del 2018

 

Escenario

 

Este laboratorio simula la necesidad de limitar las cantidades de conexiones por IP a un sitio.

Esta herramienta, aquí llevada al extremo de sólo 4 sesiones por IP, sirve para evitar ataques

de DoS, donde un atacante puede generar sesiones dummy para dejar sin recursos un server.

 

Este tipo de ataque es una variante del syn-flood, donde las sesiones quedan a medio abrir,

(sesiones embriónicas). Como parte del lab también lo simulé y documenté pero no lo apliqué

en este documento para tener algún material con el que seguir mas adelante.

 

 

Como recomendación para estudiar, aunque es difícil de encontrar (en papel), este libro es fantástico.

 

Gracias a Pablito Marinozzi por venderme su ejemplar, yo el mio lo presté…y lo perdí.

 

Configuración necesaria:

 

NAT:

 

ASA-5510(config)# object network obj-192.168.1.10

ASA-5510(config-object)# host 192.168.1.10

ASA-5510(config-object)# exit

ASA-5510(config)# nat (inside,outside) source static obj-192.168.1.10 interface

ASA-5510(config)#

 

Permisos entrantes:

 

ASA-5510(config)# access-list OUTSIDE-IN extended permit tcp any host 192.168.1.10 eq 80

ASA-5510(config)# access-group OUTSIDE-IN in interface outside

ASA-5510(config)#

 

ACL de tráfico interesante a analizar:

 

Creamos dos entradas pre-NAT y post-NAT, para confirmar cual aplica en versiones post 8.3.

 

ASA-5510(config)# access-list CONNs-OUTSIDE extended permit ip any host 200.69.0.1 (pre-NAT)

ASA-5510(config)# access-list CONNs-OUTSIDE extended permit ip any host 192.168.1.10 (post-NAT)

ASA-5510(config)#

 

Clasificador de tráfico para aplicar en políticas:

 

ASA-5510(config)# class-map CONNs

ASA-5510(config-cmap)#  match access-list CONNs-OUTSIDE

ASA-5510(config-cmap)#  exit

ASA-5510(config)#

 

Políticas a aplicar sobre la interface:

 

ASA-5510(config)# policy-map OUTSIDE-POLICY

ASA-5510(config-pmap)#  class CONNs

ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)

ASA-5510(config-pmap-c)# exit

ASA-5510(config-pmap)# exit

ASA-5510(config)#

 

Se aplican a la interface outside:

 

ASA-5510(config)# service-policy OUTSIDE-POLICY interface outside

ASA-5510(config)#

 

Verificación:

 

ASA-5510# sh service-policy interface outside

 

Interface outside:

  Service-policy: OUTSIDE-POLICY

    Class-map: CONNs

      Set connection policy: per-client-max 4

        current conns 0, drop 0

ASA-5510#

 

Verificación (generamos tráfico entrante):

 

ASA-5510#sh access-list CONNs-OUTSIDE

access-list CONNs-OUTSIDE; 2 elements; name hash: 0xf4f8ea73

access-list CONNs-OUTSIDE line 1 extended permit ip any host 200.69.0.1 (hitcnt=0) 0x4151882e (pre-NAT)

access-list CONNs-OUTSIDE line 2 extended permit ip any host 192.168.1.10 (hitcnt=19) 0x07ee2911 (post-NAT)

ASA-5510#

 

ASA-5510#sh local-host 192.168.1.10

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.1.10>,

    TCP flow count/limit = 4/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

 

  Conn:

    TCP outside 200.69.0.2:53267 inside 192.168.1.10:80, idle 0:00:14, bytes 93480, flags UIOB

    TCP outside 200.69.0.2:53266 inside 192.168.1.10:80, idle 0:00:14, bytes 27764, flags UIOB

    TCP outside 200.69.0.2:53265 inside 192.168.1.10:80, idle 0:00:14, bytes 64633, flags UIOB

    TCP outside 200.69.0.2:53264 inside 192.168.1.10:80, idle 0:00:14, bytes 37307, flags UIOB

Interface outside: 1 active, 1 maximum active, 0 denied

ASA-5510#Interface outside: 1 active, 1 maximum active, 0 denied

ASA-5510#

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/53334 to 192.168.1.10/80 on interface outside

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/53378 to 192.168.1.10/80 on interface outside

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/53384 to 192.168.1.10/80 on interface outside

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/53391 to 192.168.1.10/80 on interface outside

 

Detalle 1: las pestañas Esperando a 200.69.0.1 son las que están negadas por el limitador.

 

 

Detalle 2:

 

Este detalle no lo pude reproducir nuevamente, puede verse en el link que se expone la policy aplicada en lugar del

destino http://200.69.0.1 por mas que lo intente no pude hacerlo, al menos pude capturarlo.

 

            

ASA-5510# sh local-host 192.168.1.10

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.1.10>,

    TCP flow count/limit = 8/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

 

  Conn:

    TCP outside 200.69.0.2:54269 inside 192.168.1.10:80, idle 0:00:04, bytes 27681, flags UfrIOB

    TCP outside 200.69.0.2:54268 inside 192.168.1.10:80, idle 0:00:04, bytes 18715, flags UfrIOB

    TCP outside 200.69.0.2:54267 inside 192.168.1.10:80, idle 0:00:04, bytes 17803, flags UfrIOB

    TCP outside 200.69.0.2:54266 inside 192.168.1.10:80, idle 0:00:04, bytes 26769, flags UfrIOB

    TCP outside 200.69.0.3:63201 inside 192.168.1.10:80, idle 0:00:16, bytes 71256, flags UfrIOB

    TCP outside 200.69.0.3:63200 inside 192.168.1.10:80, idle 0:00:17, bytes 27993, flags UfrIOB

    TCP outside 200.69.0.3:63199 inside 192.168.1.10:80, idle 0:00:16, bytes 57956, flags UfrIOB

    TCP outside 200.69.0.3:63195 inside 192.168.1.10:80, idle 0:00:16, bytes 65763, flags UfrIOB

Interface outside: 2 active, 2 maximum active, 0 denied

ASA-5510#

 

ASA-5510# sh service-policy interface outside

 

Interface outside:

  Service-policy: OUTSIDE-POLICY

    Class-map: CONNs

      Set connection policy: embryonic-conn-max 4 per-client-max 4 per-client-embryonic-max 4

        current embryonic conns 0, current conns 8, drop 88

ASA-5510#

 

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.3/63216 to 192.168.1.10/80 on interface outside

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/54277 to 192.168.1.10/80 on interface outside

 

Detalle con Crome:

 

Podemos ver que Crome genera dos sesiones TCP para una sola pantalla. Aquí utilicé un Mikrotik como web server

por motivos de capturar con Torch (sólo con fines de monitoreo, no lo documenté).

 

 

 

Para seguir investigando:

 

Aquí todas las opciones para jugar, dependiendo del ataque que esperemos o lo que estemos estudiando.

 

ASA-5510# conf t

ASA-5510(config)# policy-map OUTSIDE-POLICY

ASA-5510(config-pmap)#  class CONNs

 

MPF policy-map class configuration commands:

  exit             Exit from MPF class action configuration mode

  help             Help for MPF policy-map class/match submode commands

  no               Negate or set default values of a command

  police           Rate limit traffic for this class

  priority         Strict scheduling priority for this class

  quit             Exit from MPF class action configuration mode

  service-policy   Configure QoS Service Policy

  set              Set connection values

  shape            Traffic Shaping

  user-statistics  configure user statistics for identity firewall

  <cr>

  csc              Content Security and Control service module

  flow-export      Configure filters for NetFlow events

  inspect          Protocol inspection services

  ips              Intrusion prevention services

ASA-5510(config-pmap-c)#

 

ASA-5510(config-pmap-c)# set connection ?

 

mpf-policy-map-class mode commands/options:

  advanced-options            Configure advanced connection parameters

  conn-max                        Keyword to set the maximum number of all

                                          simultaneous connections that are allowed.  Default

                                          is 0 which means unlimited connections.

  decrement-ttl                 Decrement Time to Live field

  embryonic-conn-max     Keyword to set the maximum number of TCP embryonic

                                         connections that are allowed.  Default is 0 which

                                         means unlimited connections.

  per-client-embryonic-max  Keyword to set the maximum number of TCP embryonic

                                               connections that are allowed per client machine.

                                               Default is 0 which means unlimited connections.

  per-client-max            Keyword to set the maximum number of all

                                      simultaneous connections that are allowed per

                                      client machine. Default is 0 which means unlimited

                                      connections. (esta es la que estudiamos aquí)

  random-sequence-number    Enable/disable TCP sequence number randomization.

                                                  Default is to enable TCP sequence number

                                                  randomization

  timeout                        Configure connection timeout parameters

ASA-5510(config-pmap-c)#

 

Variante de decrement TTL:

 

Lo que hace esto es decrementar en 1 el TTL de manera que el firewall deja de ser trasnparente

al menos en este aspecto, esto puede utilizarse como técnica de ofuscación (esconder el TTL real).

 

 

 

Agregado de un nuevo servicio:

 

Sólo hubo que agregar el siguiente permiso IN, ya que el nateo es 1 a 1.

 

ASA-5510(config)# access-list OUTSIDE-IN extended permit tcp any host 192.168.1.10 eq 22

ASA-5510(config)#

 

Verificación:

 

Con esta prueba demostramos que la limitación es por IP y no por TCP (4  flujos web, 4 SSH, etc).

 

 

ASA-5510# sh local-host 192.168.1.10

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.1.10>,

    TCP flow count/limit = 4/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

 

  Conn:

    TCP outside 200.69.0.2:54084 inside 192.168.1.10:80, idle 0:00:43, bytes 0, flags UB

    TCP outside 200.69.0.2:54065 inside 192.168.1.10:22, idle 0:01:19, bytes 3556, flags UIOB

    TCP outside 200.69.0.2:54062 inside 192.168.1.10:22, idle 0:01:26, bytes 3556, flags UIOB

    TCP outside 200.69.0.2:54059 inside 192.168.1.10:22, idle 0:01:52, bytes 3556, flags UIOB

Interface outside: 1 active, 1 maximum active, 0 denied

ASA-5510#

 

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/54092 to 192.168.1.10/80 on interface outside

%ASA-3-201013: Per-client connection limit exceeded 4/4 for input packet from 200.69.0.2/54093 to 192.168.1.10/22 on interface outside

 

 

Si quisieramos 4 sesiones por IP y por cada servicio, la cosa debería ser así:

 

ASA-5510(config)# access-list CONNs-WWW extended permit tcp any host 192.168.1.10 eq 80

ASA-5510(config)# access-list CONNs-SSH extended permit tcp any host 192.168.1.10 eq 22

ASA-5510(config)# class-map CONN-WWW

ASA-5510(config-cmap)#  match access-list CONNs-WWW

ASA-5510(config-cmap)#  exit

ASA-5510(config)# class-map CONN-SSH

ASA-5510(config-cmap)#  match access-list CONNs-SSH

ASA-5510(config-cmap)#  exit

ASA-5510(config)# policy-map OUTSIDE-POLICY

ASA-5510(config-pmap)#  class CONN-WWW

ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)

ASA-5510(config-pmap-c)# exit

ASA-5510(config-pmap)#  class CONN-SSH

ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)

ASA-5510(config-pmap-c)# exit

ASA-5510(config-pmap)# exit

ASA-5510(config)#

 

Fuente:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

 

Configuración final:

 

ASA-5510# sh runn (en negrita lo relevante)

: Saved

:

: Serial Number: JMX1235L299

: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

:

ASA Version 8.4(7)30

!

hostname ASA-5510

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 duplex full

 nameif outside

 security-level 0

 ip address 200.69.0.1 255.255.255.252

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 no ip address

 management-only

!

boot system disk0:/asa847-30-k8.bin

ftp mode passive

object network obj-192.168.1.10

 host 192.168.1.10

access-list CONNs-OUTSIDE extended permit ip any host 200.69.0.1

access-list CONNs-OUTSIDE extended permit ip any host 192.168.1.10

access-list OUTSIDE-IN extended permit tcp any host 192.168.1.10 eq www

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Isolated 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Isolated

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static obj-192.168.1.10 interface

access-group OUTSIDE-IN in interface outside

!

route outside 0.0.0.0 0.0.0.0 200.69.0.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

ssh 192.168.1.0 255.255.255.0 inside

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

class-map inspection_default

 match default-inspection-traffic

class-map CONNs

 match access-list CONNs-OUTSIDE

!

!

policy-map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ip-options

policy-map OUTSIDE-POLICY

 class CONNs

  set connection per-client-max 4

!

service-policy global_policy global

service-policy OUTSIDE-POLICY interface outside

prompt hostname context

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:58f7a95250fc7960d74352fe90650aae

: end

ASA-5510#

 

(2018) Sometimes, I dream with furious packets…

 Rosario, Argentina