Regarding the reported DOS against the internal interface of a

From: WatchGuard Rapid Response (RapidResponseat_private)
Date: Wed Nov 04 1998 - 13:14:28 PST

Next message: Ernst Jan Plugge: "Secure-linux patch"

Previous message: Olaf Kirch: "Re: X11 cookie hijacker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Last Friday ( Oct 30,  1998 ) a message was posted to Bugtraq describing
a Denial of Service Attack against the WatchGuard FireBox II. The
poster, Sr. Matias Ruiz, described how he had caused a FireBox II to
crash during a "Pepsi" attack launched against the trusted interface
from the trusted network.  When the WatchGuard Rapid Response Team saw
the post,  we began trying to contact Sr. Ruiz and to duplicate the
exploit.
To date,  we have been unsucessful contacting Sr. Ruiz.  We have
completed our testing of the Firebox II and have been unsuccessful in
duplicating the results that Sr. Ruiz has described in his post.  We
believe that the Firebox II running the currently shipping version of
the software is not vulnerable to the attack as it was described.

To more fully understand the ramifications of this class of attack
against the WatchGuard Security System  we extended the parameters of
our testing to include simultaneous Pepsi, New-Pep and Ping-flooding
from multiple sources on both a 100 MB Ethernet segment and a 10 MB
Ethernet segment.  These attacks were run against the trusted interface
from the trusted network on both the Firebox II, and the Firebox 100.
Our results are as follows:

1) The FB II running the currently shipping version of the software,
(Version 3.1) operated normally during the test on both the 10 and 100
MB segments

2) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A)  operated normally during the test on the 10 MB
segment

3) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A) did suffer a gradual degradation of performance on a
100MB segment leading to a reboot after 30 Min. of continuous flooding.
At no time was the test platform "disarmed".

As a practical matter, the behavior observed in test case 3 (above)  is
a highly anomalous and easily traceable traffic pattern,  the impact of
which can be mitigated by a few simple configuration changes.  Contact
WatchGuard Technical Support if you have any questions.

In the absence of any further information from Sr. Ruiz, we believe that
his report of a vulnerability in the FireBox II is in error.


WatchGuard Rapid Response Team

Next message: Ernst Jan Plugge: "Secure-linux patch"
Previous message: Olaf Kirch: "Re: X11 cookie hijacker"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:12 PDT