A FireWall-1 NT denial of service was actually discovered/discussed on bugtraq in February using similar methodologies to those described by Lance Spitzner in his recent mail. This is one of the public posts, but there was quite a bit of discussion in private mail as well. To summarize: Someone was claiming that this problem was not in FireWall-1 NT, but NT's IP stack that was causing the crash. I was fairly certain this was not the case, as I had just done quite a bit of testing against NT 4.0 SP4 at the time with nmap. I had followed up by testing FireWall-1 NT v4.1, and it did crash (the NT service shot up to 100% CPU usage) when several spoofed SYN scans were run against it's untrusted interface. The difference between this attack and the one Lance has described is that this attack appeared to work against both the trusted and untrusted interfaces, and can be performed over multiple hops. An interesting addition--I also noticed that when pinging the untrusted/external interface of FireWall-1 NT v4.1 with large (>32k) ping packets, there seemed to be incremental growth of non-paged kernel memory (viewable in Task Manager, on the Performance tab). I didn't have time to test this to see if it capped off after a certain point or not, though. If it is incremental, this is another denial of service that could be performed from a remote untrusted network. I would be interested to find out if either of these problems continue to manifest themselves in the latest versions of FireWall-1 NT and Solaris. If anyone has a FireWall-1 installation handy, it shouldn't take but a minute to test. ttyl ----------------------------------------- Matt Hargett mailto:mattat_private http://www.clock.org/~matt ---------- Forwarded message ---------- Date: Sun, 21 Feb 1999 17:43:44 -0600 (CST) From: Matt Hargett <hargettat_private> To: bugtraqat_private Cc: malikaiat_private Subject: RE: NT DoS on FW-1 >This issue can be fixed by simply implementing a stealthing rule on the >firewall itself. The problem is in NT's stack, not the FireWalls. > > Jamie Thain wrote: > > > Timothy, > > > > > I was running nmap against a client's Checkpoint FW-1 > > > when they called to inform me that it had crashed. I > > > was not on site so unfortunately I have little > > > details. > > > > I have seen this befor where a high speed port scanner running against a > > FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on > > Sun. You may want to check and make sure you have the most recent patch > > level. That information is on the FW-1 site. > > > > > I DO know that they were running it on a NT > > > box and it was behind a Cisco 3640. I have done a bit of testing using nmap against NT 4.0 with SP4. My findings were that plain NT 4.0 SP4 doesn't crash/behave erratically by itself with the many instances of nmap options that I tried. Certainly not a simple SYN scan with OS fingerprinting. What exactly is the problem in NT's stack and how exactly can you measure it's adverse reaction? I was looking under task manager at the nonpaged kernel memory, process, thread, and handle counts. ----------------------------------------- Matt Hargett http://www.cityscape.net/~hargett mattat_private sex on the TV, everybody's at it and the mind gets dirty as you get closer to thirty
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:37 PDT