I have seen this happen in one case where the customer had incorrectly configured the firewall to have two rules that both matched a packet. When a syn hit that port, the Raptor box would go into fits and start spewing what looked to be developer debug statements. I don't remember the version they we running or how the conflicting rules were created, just that there were two rules matching the same connection. Does the firewall spit anything out on the console (popups, error logs, etc)? Does a TCP connect scan cause the same problem? -HD On Thursday 06 December 2001 06:06 pm, Stuart wrote: > We've run a pentest against a customer recently and found that the very act > of port scanning their Raptor firewall (running on NT) crippled its ability > to accept incoming connections for their web site. The firewall is a new > high spec PIII and the least line is a decent size. The nmap scans were > standard timing (not T5 or anything daft) - once the scans were stopped, > things burst back in to life within about 10minutes. [ snip ] > Does this ring any bells with anyone? Seems very odd to me... a portscan > should not cause a DOS by itself... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 10:15:11 PST