Last Friday ( Oct 30, 1998 ) a message was posted to Bugtraq describing a Denial of Service Attack against the WatchGuard FireBox II. The poster, Sr. Matias Ruiz, described how he had caused a FireBox II to crash during a "Pepsi" attack launched against the trusted interface from the trusted network. When the WatchGuard Rapid Response Team saw the post, we began trying to contact Sr. Ruiz and to duplicate the exploit. To date, we have been unsucessful contacting Sr. Ruiz. We have completed our testing of the Firebox II and have been unsuccessful in duplicating the results that Sr. Ruiz has described in his post. We believe that the Firebox II running the currently shipping version of the software is not vulnerable to the attack as it was described. To more fully understand the ramifications of this class of attack against the WatchGuard Security System we extended the parameters of our testing to include simultaneous Pepsi, New-Pep and Ping-flooding from multiple sources on both a 100 MB Ethernet segment and a 10 MB Ethernet segment. These attacks were run against the trusted interface from the trusted network on both the Firebox II, and the Firebox 100. Our results are as follows: 1) The FB II running the currently shipping version of the software, (Version 3.1) operated normally during the test on both the 10 and 100 MB segments 2) The FB 100 running the currently shipping version of the software, (Version 3.0 Rev.A) operated normally during the test on the 10 MB segment 3) The FB 100 running the currently shipping version of the software, (Version 3.0 Rev.A) did suffer a gradual degradation of performance on a 100MB segment leading to a reboot after 30 Min. of continuous flooding. At no time was the test platform "disarmed". As a practical matter, the behavior observed in test case 3 (above) is a highly anomalous and easily traceable traffic pattern, the impact of which can be mitigated by a few simple configuration changes. Contact WatchGuard Technical Support if you have any questions. In the absence of any further information from Sr. Ruiz, we believe that his report of a vulnerability in the FireBox II is in error. WatchGuard Rapid Response Team
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:12 PDT