Pruebas de límites de conexiones TCP por
host
Fecha: 16 de agosto del 2018
Escenario
Este laboratorio simula la necesidad de limitar las cantidades de conexiones por IP a un sitio.
Esta herramienta, aquí llevada al extremo de sólo 4 sesiones por IP, sirve para evitar ataques
de DoS, donde un atacante puede generar sesiones dummy para dejar sin recursos un server.
Este tipo de ataque es una variante del syn-flood, donde las sesiones quedan a medio abrir,
(sesiones embriónicas). Como parte del lab también lo simulé y documenté pero no lo apliqué
en este documento para tener algún material con el que seguir mas adelante.
Como recomendación para estudiar, aunque es difícil de encontrar (en papel), este libro es fantástico.
Gracias a Pablito Marinozzi por venderme su ejemplar, yo el mio lo presté…y lo perdí.
Configuración
necesaria:
NAT:
ASA-5510(config)# object network obj-192.168.1.10
ASA-5510(config-object)# host 192.168.1.10
ASA-5510(config-object)# exit
ASA-5510(config)# nat (inside,outside) source static obj-192.168.1.10 interface
ASA-5510(config)#
Permisos entrantes:
ASA-5510(config)# access-list OUTSIDE-IN extended permit tcp any host 192.168.1.10 eq 80
ASA-5510(config)# access-group OUTSIDE-IN in interface outside
ASA-5510(config)#
ACL de tráfico interesante a analizar:
Creamos dos entradas pre-NAT y post-NAT, para confirmar cual aplica en versiones post 8.3.
ASA-5510(config)# access-list CONNs-OUTSIDE extended permit ip any host 200.69.0.1 (pre-NAT)
ASA-5510(config)# access-list CONNs-OUTSIDE extended permit ip any host 192.168.1.10 (post-NAT)
ASA-5510(config)#
Clasificador de tráfico para aplicar en políticas:
ASA-5510(config)# class-map CONNs
ASA-5510(config-cmap)# match
access-list CONNs-OUTSIDE
ASA-5510(config-cmap)# exit
ASA-5510(config)#
Políticas a aplicar sobre la interface:
ASA-5510(config)# policy-map OUTSIDE-POLICY
ASA-5510(config-pmap)# class
CONNs
ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)
ASA-5510(config-pmap-c)# exit
ASA-5510(config-pmap)# exit
ASA-5510(config)#
Se aplican a la
interface outside:
ASA-5510(config)# service-policy OUTSIDE-POLICY interface outside
ASA-5510(config)#
Verificación:
ASA-5510# sh
service-policy interface outside
Interface outside:
Service-policy: OUTSIDE-POLICY
Class-map: CONNs
Set
connection policy: per-client-max 4
current conns 0, drop 0
ASA-5510#
Verificación (generamos tráfico entrante):
ASA-5510#sh
access-list CONNs-OUTSIDE
access-list CONNs-OUTSIDE; 2 elements; name
hash: 0xf4f8ea73
access-list CONNs-OUTSIDE line 1 extended
permit ip any host 200.69.0.1 (hitcnt=0) 0x4151882e (pre-NAT)
access-list CONNs-OUTSIDE line 2 extended
permit ip any host 192.168.1.10 (hitcnt=19)
0x07ee2911 (post-NAT)
ASA-5510#
ASA-5510#sh
local-host 192.168.1.10
Interface management: 0 active, 0 maximum
active, 0 denied
Interface inside: 1 active, 1 maximum active, 0
denied
local host: <192.168.1.10>,
TCP
flow count/limit = 4/unlimited
TCP
embryonic count to host = 0
TCP
intercept watermark = unlimited
UDP
flow count/limit = 0/unlimited
Conn:
TCP
outside 200.69.0.2:53267 inside 192.168.1.10:80, idle 0:00:14, bytes 93480,
flags UIOB
TCP
outside 200.69.0.2:53266 inside 192.168.1.10:80, idle 0:00:14, bytes 27764,
flags UIOB
TCP
outside 200.69.0.2:53265 inside 192.168.1.10:80, idle 0:00:14, bytes 64633,
flags UIOB
TCP
outside 200.69.0.2:53264 inside 192.168.1.10:80, idle 0:00:14, bytes 37307,
flags UIOB
Interface outside: 1 active, 1 maximum active,
0 denied
ASA-5510#Interface outside: 1 active, 1 maximum
active, 0 denied
ASA-5510#
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/53334 to 192.168.1.10/80 on
interface outside
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/53378 to 192.168.1.10/80 on interface
outside
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/53384 to 192.168.1.10/80 on
interface outside
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/53391 to 192.168.1.10/80 on
interface outside
Detalle 1: las pestañas Esperando a 200.69.0.1 son las que están negadas por el limitador.
Detalle 2:
Este detalle no lo pude reproducir nuevamente, puede verse en el link que se expone la policy aplicada en lugar del
destino http://200.69.0.1 por mas que lo intente no pude hacerlo, al menos pude capturarlo.
ASA-5510# sh
local-host 192.168.1.10
Interface management: 0 active, 0 maximum
active, 0 denied
Interface inside: 1 active, 1 maximum active, 0
denied
local host: <192.168.1.10>,
TCP
flow count/limit = 8/unlimited
TCP
embryonic count to host = 0
TCP
intercept watermark = unlimited
UDP flow
count/limit = 0/unlimited
Conn:
TCP
outside 200.69.0.2:54269 inside 192.168.1.10:80, idle 0:00:04, bytes 27681,
flags UfrIOB
TCP
outside 200.69.0.2:54268 inside 192.168.1.10:80, idle 0:00:04, bytes 18715,
flags UfrIOB
TCP
outside 200.69.0.2:54267 inside 192.168.1.10:80, idle 0:00:04, bytes 17803,
flags UfrIOB
TCP
outside 200.69.0.2:54266 inside 192.168.1.10:80, idle 0:00:04, bytes 26769,
flags UfrIOB
TCP
outside 200.69.0.3:63201 inside
192.168.1.10:80, idle 0:00:16, bytes 71256, flags UfrIOB
TCP
outside 200.69.0.3:63200 inside
192.168.1.10:80, idle 0:00:17, bytes 27993, flags UfrIOB
TCP
outside 200.69.0.3:63199 inside
192.168.1.10:80, idle 0:00:16, bytes 57956, flags UfrIOB
TCP
outside 200.69.0.3:63195 inside 192.168.1.10:80,
idle 0:00:16, bytes 65763, flags UfrIOB
Interface outside: 2 active, 2 maximum active, 0 denied
ASA-5510#
ASA-5510#
sh service-policy interface outside
Interface outside:
Service-policy: OUTSIDE-POLICY
Class-map: CONNs
Set
connection policy: embryonic-conn-max 4 per-client-max 4
per-client-embryonic-max 4
current embryonic conns 0, current conns 8, drop 88
ASA-5510#
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.3/63216 to 192.168.1.10/80 on interface outside
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/54277 to 192.168.1.10/80 on interface outside
Detalle con Crome:
Podemos ver que Crome genera dos sesiones TCP para una sola pantalla. Aquí utilicé un Mikrotik como web server
por motivos de capturar con Torch (sólo con fines de monitoreo, no lo documenté).
Para seguir investigando:
Aquí todas las opciones para jugar, dependiendo del ataque que esperemos o lo que estemos estudiando.
ASA-5510# conf
t
ASA-5510(config)# policy-map OUTSIDE-POLICY
ASA-5510(config-pmap)# class
CONNs
MPF policy-map class configuration commands:
exit Exit from MPF class
action configuration mode
help Help for MPF
policy-map class/match submode commands
no Negate or set default values of
a command
police Rate limit
traffic for this class
priority Strict scheduling
priority for this class
quit Exit from MPF
class action configuration mode
service-policy Configure QoS
Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user
statistics for identity firewall
<cr>
csc Content Security
and Control service module
flow-export Configure filters
for NetFlow events
inspect Protocol
inspection services
ips Intrusion
prevention services
ASA-5510(config-pmap-c)#
ASA-5510(config-pmap-c)# set connection ?
mpf-policy-map-class mode commands/options:
advanced-options
Configure advanced connection parameters
conn-max
Keyword to set the maximum number of all
simultaneous
connections that are allowed. Default
is 0
which means unlimited connections.
decrement-ttl
Decrement Time to Live field
embryonic-conn-max Keyword to
set the maximum number of TCP embryonic
connections that are allowed.
Default is 0 which
means
unlimited connections.
per-client-embryonic-max Keyword
to set the maximum number of TCP embryonic
connections that are allowed per client machine.
Default is 0 which means unlimited connections.
per-client-max Keyword
to set the maximum number of all
simultaneous connections that are allowed per
client
machine. Default is 0 which means unlimited
connections. (esta es la que estudiamos aquí)
random-sequence-number
Enable/disable TCP sequence number randomization.
Default is to enable TCP sequence number
randomization
timeout
Configure connection timeout parameters
ASA-5510(config-pmap-c)#
Variante de decrement TTL:
Lo que hace esto es decrementar en 1 el TTL de manera que el firewall deja de ser trasnparente
al menos en este aspecto, esto puede utilizarse como técnica de ofuscación (esconder el TTL real).
Agregado de un nuevo servicio:
Sólo hubo que agregar el siguiente permiso IN, ya que el nateo es 1 a 1.
ASA-5510(config)# access-list OUTSIDE-IN extended permit tcp any host 192.168.1.10 eq 22
ASA-5510(config)#
Verificación:
Con esta prueba demostramos que la limitación es por IP y no por TCP (4 flujos web, 4 SSH, etc).
ASA-5510# sh
local-host 192.168.1.10
Interface management: 0 active, 0 maximum
active, 0 denied
Interface inside: 1 active, 1 maximum active, 0
denied
local host: <192.168.1.10>,
TCP
flow count/limit = 4/unlimited
TCP
embryonic count to host = 0
TCP
intercept watermark = unlimited
UDP
flow count/limit = 0/unlimited
Conn:
TCP
outside 200.69.0.2:54084 inside 192.168.1.10:80, idle 0:00:43, bytes 0, flags UB
TCP
outside 200.69.0.2:54065 inside 192.168.1.10:22, idle 0:01:19, bytes 3556, flags UIOB
TCP
outside 200.69.0.2:54062 inside 192.168.1.10:22, idle 0:01:26, bytes 3556, flags UIOB
TCP
outside 200.69.0.2:54059 inside 192.168.1.10:22, idle 0:01:52, bytes 3556, flags UIOB
Interface outside: 1 active, 1 maximum active,
0 denied
ASA-5510#
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/54092 to 192.168.1.10/80 on
interface outside
%ASA-3-201013: Per-client connection limit
exceeded 4/4 for input packet from 200.69.0.2/54093 to 192.168.1.10/22 on interface
outside
Si quisieramos 4 sesiones por IP y por cada servicio, la cosa debería ser así:
ASA-5510(config)# access-list CONNs-WWW extended permit tcp any host 192.168.1.10 eq 80
ASA-5510(config)# access-list CONNs-SSH extended permit tcp any host 192.168.1.10 eq 22
ASA-5510(config)# class-map CONN-WWW
ASA-5510(config-cmap)# match
access-list CONNs-WWW
ASA-5510(config-cmap)# exit
ASA-5510(config)# class-map CONN-SSH
ASA-5510(config-cmap)# match
access-list CONNs-SSH
ASA-5510(config-cmap)# exit
ASA-5510(config)# policy-map OUTSIDE-POLICY
ASA-5510(config-pmap)# class
CONN-WWW
ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)
ASA-5510(config-pmap-c)# exit
ASA-5510(config-pmap)# class
CONN-SSH
ASA-5510(config-pmap-c)# set connection per-client-max 4 (limitamos a 4 flujos TCP por host)
ASA-5510(config-pmap-c)# exit
ASA-5510(config-pmap)# exit
ASA-5510(config)#
Fuente:
Configuración final:
ASA-5510# sh runn (en negrita lo relevante)
: Saved
:
: Serial Number: JMX1235L299
: Hardware:
ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 8.4(7)30
!
hostname ASA-5510
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
duplex
full
nameif
outside
security-level 0
ip
address 200.69.0.1 255.255.255.252
!
interface Ethernet0/1
nameif
inside
security-level 100
ip
address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no
nameif
no
security-level
no ip
address
!
interface Ethernet0/3
shutdown
no
nameif
no
security-level
no ip
address
!
interface Management0/0
nameif
management
security-level 100
no ip
address
management-only
!
boot system disk0:/asa847-30-k8.bin
ftp mode passive
object network
obj-192.168.1.10
host 192.168.1.10
access-list
CONNs-OUTSIDE extended permit ip any host 200.69.0.1
access-list
CONNs-OUTSIDE extended permit ip any host 192.168.1.10
access-list OUTSIDE-IN
extended permit tcp any host 192.168.1.10 eq www
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Isolated 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Isolated
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside)
source static obj-192.168.1.10 interface
access-group OUTSIDE-IN
in interface outside
!
route outside 0.0.0.0 0.0.0.0 200.69.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp
0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225
1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00
sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth
0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
ssh 192.168.1.0 255.255.255.0 inside
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept
rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
match
default-inspection-traffic
class-map CONNs
match access-list CONNs-OUTSIDE
!
!
policy-map global_policy
class
inspection_default
inspect
ftp
inspect
h323 h225
inspect
h323 ras
inspect
rsh
inspect
rtsp
inspect
esmtp
inspect
sqlnet
inspect
skinny
inspect
sunrpc
inspect
xdmcp
inspect
sip
inspect
netbios
inspect
tftp
inspect
icmp
inspect
ip-options
policy-map
OUTSIDE-POLICY
class CONNs
set connection per-client-max 4
!
service-policy global_policy global
service-policy
OUTSIDE-POLICY interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile
CiscoTAC-1
no
active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:58f7a95250fc7960d74352fe90650aae
: end
ASA-5510#
(2018) Sometimes, I dream with furious packets…
Rosario, Argentina