In message <CAG6TeAt9eodf-OihH0vow25GFC-P__P+NO9yKMycBsUQhOpYuA@mail.gmail.com> , Fernando Gont writes:
El 12/1/2017 16:28, "Mark Andrews" <marka@isc.org> escribi=C3=B3:
In message <11ff128d-2fba-7c26-4a9c-5611433d85d2@si6networks.com>, Fernando Gont writes:
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytti wrote:
On 12 January 2017 at 13:19, Fernando Gont <fgont@si6networks.com> wrote:
Hey,
I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 and/or IPv6 fragments targeted to BGP routers (off-list datapoints are welcome).
Generally may be understood differently by different people. If generally is defined as single most typical behaviour/configuration, then generally people don't protect their infrastructure in any way at all, but fully rely vendor doing something reasonable.
I would argue BCP is to have 'strict' CoPP. Where you specifically allow what you must then have ultimate rule to deny everything. If you have such CoPP, then this attack won't work, as you clearly didn't allow any fragments at all (as you didn't expect to receive BGP fragments from your neighbours).
That's the point: If you don't allow fragments, but your peer honors ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
And fragments are a *normal* part of IP for both IPv4 and IPv6. This obsession with dropping all fragments (and yes it is a obsession) is breaking the internet.
Vendors got the frag reassembly code wrong so many times , that I understand the folk that decides to drop them if deemed unnecessary.
Most of them literally decades ago. 20+ years ago while you waited for you vendor to fix the bug it made some sense as most of your boxes were vulnerable. It was a new threat back then. It doesn't make sense today. Packet bigger than 1500 are a part of todays internet. Have a look a the stats for dropped fragments. They aren't for the most part attack traffic. Its legitmate reply traffic that has been requested.
Even if you don't want to allow all fragments through you can allow fragments between the two endpoints of a "active" connection.
At times folks want to get rid of fragments directed to them, rather than those going *through* them.
You can apply port filters to the offset 0 fragments. If that fragment doesn't have enough headers to be able to filter then drop it. If your firewall is incapable of doing this then find a better firewall as the current one is a piece of garbage and should be in the recycle bin.
Which DoS is the bigger issue? Firewalls dropping fragments or reassembly buffers being exhausted?
If there is no way for an attacker to trigger the use of fragmentation, and you don't need fragments (e.g. only tcp-based services), from a security pov you're certainly better off dropping frags that are thrown at you. Not that I like it, but....
Thanks, Fernando
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org