Re: PIX 6.3(3) blocks traffic - easy DOS attack

jlacis · ‎08-04-2004

If I try to scan a server with <172.16.1.5> using the tool NMAP with faked IP source address :

"nmap -sF -S 10.1.1.1 -e alb0 172.16.1.5" where

-sF (FIN scan, could be other scans also)

-S 10.1.1.1 (faked source)

-e alb0 (interface, usually eth0)

172.16.1.5 (victim)

The PIX silently blocks any traffic from 10.1.1.1 to 172.16.1.5 for about half an hour !!! The result is that anybody with NMAP can block traffic from the real IP address (fake source in NMAP syntax) to the server IP address. This could be used to make a DOS attack.

PIX does not LOG a single word about attack or traffic_blocking !?

a_williams · ‎08-04-2004

The default setting for blocking on the 4.1 sensor is 30 minutes. You can easily change this under the Configuration/Blocking/Blocking Properties menu. Once configured, add the blocking field to your IEV. This will give you the ability to see on the IDS if a blocking action has taken place.

jlacis · ‎08-04-2004

I am talking about PIX blocking traffic. PIX is not in any way configured to work together with IDS sensor. This behaviour is only PIX related. PIX version 6.3(3).

a_williams · ‎08-04-2004

My mistake, just assumed that it was IDS related on this forum.

marcabal · ‎08-04-2004

If you don't get an answer here on the IDS Forum then I would suggest trying the Firewall Forum:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee6e1fa

jlacis · ‎09-10-2004

Sorry to say but this turned out to be our fault. PIX was not blocking traffic, it was done by Symantec Firewall on a PC. Nothing to do with PIX. Issue is solved.