Penetration Testing mailing list archives
Re: DROP or REJECT that is the question...
From: Tim <tim-pentest () sentinelchicken org>
Date: Thu, 5 Apr 2007 21:38:08 -0400
Hello, I looked into this question as a part of some research, and came to some conclusions on it for myself. I will use Paul's email below to help me put it into context.
A 'reject' action on a firewall really means that you send an ICMP 3:3* (destination/port unreachable) message back to the source.
Not necessarily true. I believe the typical closed port response for TCP is a TCP reset. Your statement is true for UDP though.
Best practice for this is to use drop unless there's a specific need for the source to receive an ICMP reject message. Using reject incorrectly can make your firewall a pawn on DoS attacks by spoofing ICMP or DNS traffic to it.
I used to believe this as well. However, when you think specifically about the DoS attack issue, the chances are your network is going to expose at least one TCP port to the outside world, for instance. If you do, then an attacker can use you for reflected TCP handshake amplification on that port. You won't be able to do much to stop it, in all likelihood, and it doesn't matter if all of your blocked ports send out one RST. The attacker won't bother using it, since he gets better amplification on the open port. On the UDP side, things may be slightly different, but I suspect not greatly so.
As far as giving away information, your firewall will probably be detected but also assumed by attackers. Your firewall policy should be to deny all traffic except for the [small number of] services that you need to allow through. This shouldn't be any big deal. No worse than ICMP timestamps being allowed on your routers, for example.
My research was specifically focused on information leakage through TCP port scanning. After modeling the various scenarios (SYN stealth scanning, spoofed SYNs, spoofed SYNs through an idle scan, etc), I found that the best strategy for the defender is to always return a RST on blocked ports. This is because it will eliminate the attacker's ability to use an idle scan to obtain port information without giving away her IP address. Keep in mind, that you must be very careful about how the RSTs are sent back, and this isn't the only consideration. Also, this applies only to TCP since idle scans are generally a TCP-only attack. Food for thought though.
Also, the fact that you're asking about drop vs. reject tells me that there's a good probability that your firewall is either Check Point or iptables. Recon is easy. Get over it. The best thing to do is to harden your network against attack assuming that those details are publicly available.
Yeah, if I were you, I wouldn't worry too much about someone profiling your firewall. Just be sure you understand exactly what your firewall is doing, and keep it patched. HTH, tim ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- DROP or REJECT that is the question... Mohamed Abdel Kader (Apr 04)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Tim (Apr 08)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Isaac Perez (Apr 06)
- Re: DROP or REJECT that is the question... Jamie Riden (Apr 06)
- <Possible follow-ups>
- Re: DROP or REJECT that is the question... Thor (Hammer of God) (Apr 04)
- Re: DROP or REJECT that is the question... Chris Brenton (Apr 08)
- FW: DROP or REJECT that is the question... Bryan_McAninch (Apr 06)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)