Lance, Good write up on the page. I have a wild one for you is in the INSPECT code do you think this problem can be solved? I am going to start looking at it tonight and see what I can get going with it. One more question I had is and I only heard back from one person saying they filled up the connections on a LINUX proxy based FW in the same matter with NMAP. I was wondering if this would work on other FW's? You might be on to something big... Eric sends lanceat_private on 07/30/99 06:10:00 PM To: BUGTRAQat_private@Internet cc: (bcc: James E McWilliams/CA/KAIPERM) Subject: FW-1 DOS attack: PART II I would greatly appreciate if you could pass this along. It does a much better job of explaing what the exact problem/DOS is with FW-1. I would like to clarify exactly how the DOS works. Everything I am about to cover is documented in detail at http://www.enteract.com/~lspitz/fwtable.html When you start a TCP connection, you send a SYN packet. When FW-1 filters this packet, it checks it against the rule base, if the session is allowed, it is added to the connections table with a timeout of 60 seconds. When the remote host responds, the session is bumped up to a 3600 second timeout. Now, if you start a connection with an ACK packet, the FW compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. Now, do this with alot of ACK packets, and you have full connections table. Most companies allow http outbound. Run this command as root from an internal system, I give your FW about 10 to 15 minutes. If your internal network is a 10.x.x.x, try 172.16.*.* nmap -sP 10.*.*.* nmap is a very powerful port scanner. With this command it does only a PING and TCP sweep (default port 80), but uses an ACK instead of a SYN. To verify that your connections table is quickly growing, try "fw tab -t connections -s" at 10 second intervals. Tested on ver 4.0 SP3 on Solaris x86 2.6. I would greatly appreciate if anyone could prove/disprove this. Also, FW-1's SynDefender did not protect against this attack. Lance http://www.enteract.com/~lspitz
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:51 PDT