aleph, Forwarding Checkpoints response to the recent DoS discussions. They've developed INSPECT code to handle the ACK-DoS. The code in the announcement might have compilation problems, but the url contains compilable code. ----- Forwarded from Check Point Support <cpsupporat_private> ----- From: "Check Point Support" <cpsupporat_private> To: <fw-1-mailinglistat_private> Subject: [FW1] ACK Dos Attack Date: Tue, 10 Aug 1999 23:27:36 -0500 Message-ID: <000f01bee3b1$d6bed620$ad542bcfat_private> X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 This message is a follow up to the Check Point response to the ACK DOS attack posted last week. Check Point has developed INSPECT code changes that provides a solution for this type of attack. This code change enables Check Point gateways to drop non-first TCP packets instead of matching the rule base. It should be noted that this INSPECT fix will cause a change of behavior from the existing Check Point gateway behavior in the following way: following a reboot, policy unload or stopping the firewall, all active TCP connections will be blocked, and that any timed out TCP connections (i.e., connections that have been inactive longer than the TCP timeout) will be disconnected. The ability for FireWall-1/VPN-1 to maintain connections after policy reload will not be affected by this change. For those with UNMODIFIED $FWDIR/lib/code.def files, you can go to the Check Point web site and download Check Point updated files (go to: http://www.checkpoint.com/techsupport/alerts/ackdos.html). Another option is to edit the code.def files as described below. Check Point 4.0-based Installations: The following INSPECT code (between the two lines starting with "-----") should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). NOTE: if you are managing V3.0 modules, using the 4.0 backwards compatibility feature, please make the changes to the V3.0 code.def file (located in $FWDIR/lib30), as described in the "Check Point 3.0-based Installations". After completing the edit, re-install the security policy. For 4.0-based installations, this code will also log these events. ----- 4.0 edit follows ----- #ifndef ALLOW_NONFIRST_RULEBASE_MATCH tcp, first or <conn> in old_connections or #ifndef NO_NONFIRST_RULEBASE_MATCH_LOG <ip_p,src,dst,sport,dport,0> in logged ) or record <ip_p,src,dst,sport,dport,0> in logged, set sr10 12, set sr11 0, set sr12 0, set sr1 0, log bad_conn ) or 1, #endif vanish ); #endif ----- End of 4.0 insert ----- Check Point 3.0-based Installations: The following INSPECT code (between the two lines starting with "-----") should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). After completing the edit, re-install the security policy. ----- 3.0 edit follows ----- #ifndef ALLOW_NONFIRST_RULEBASE_MATCH tcp, first or <conn> in old_connections or vanish; #endif ----- End of 3.0 insert ----- Thank you, Check Point Support ----- End forwarded message ----- -- Oscar Wahlberg <oscar.wahlbergat_private> phone: +46-(0)708-44 55 63 fax: +46-(0)708-44 55 74
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:06 PDT