1st let's look at some tcp-options. These are defined by iana & available here.
http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1
1st What is tcp normalization?
Normalization, aka "scrubbing", ensure that tcp-session conform to the correct standards or expect parameters. This could be something as simple with clamping the tcp-MSS values or the removal of certain tcp options like Window Scaling or Selective ACKs, or dropping SYN, SYN-ACK packets that have data.
In a few cases, we normalize tcp datagrams to combat bad programs or application that misbehave with certain type of tcp parameters. This intermin fix is typically used until the application is corrected, or the OS is updated.
- In the past, I've worked in the DDoS sector, and we used tcp-mss to clamp maximum tcp-segments before entering a GRE tunnel.
- In the finanicial sector, we had mis-behavin applications that couldn't be correct in the tcp/ip-stack, so we use a mix of tcp-normalization methods to remove certain options from the tcp SYN datagram ( i.e SACK,WSCALE,TimeStp,etc....). We ended up disable "SACK" for just one of the many services hosted on the server platform, without modifying the rest of the services.
- Another example, we had a upstream external IPS that freaked out on certain tcp traffic. This particular IPS was aggressive and we really couldn't write exemptions rules to cover all possibilities. So we instead normalize the traffic b4 reaching the IPS sensor.
On the cisco ASA , you will have to define a tcp-map and reference a class-map for the traffic we want to normalized.
This usually requires the following;
- acl
- class-map
- tcp-map
- policy-map
Here's a few samples with tcpdump screenshot of the cleanup tcp-datagram
( the dropping of TCP options SACKS using a defined ACL )
A TCP dump of my SYN and SYN-ACK shows;
( the dropping of the TCP options "WSCALE" using a defined ACL )
Tcpdump shows that the WSCALEing option is now gone!
More Examples
( the dropping of the multiple TCP options using a defined ACL )
TCpdump shows the SYN & tcp-option are now gone!
NOTE: if you don't need specific src/dst matching ACL you can use a port-match to accomplish the same. The ACL approach allows for fine control of the src/dst
NOTE: The dropping SYN or SYN/ACK that has data , is very simple & a tcp conversation should never start with data to begin with.
Ken Felix
Network & Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( - - )=
o
/ \
No comments:
Post a Comment