Re: Raptor Firewall

From: Lambottat_private
Date: Fri Dec 07 2001 - 02:03:35 PST

Next message: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"

Previous message: Alex Butcher (pentest): "Re: Raptor Firewall"
Maybe in reply to: Stuart: "Raptor Firewall"
Next in thread: Mike Shaw: "Re: Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stuart,

I've come across a similar problem in the course of a PenTest using the #nmap -sU option (UDP scan)
It appears there is no fix till date.
You will find more info. on http://xforce.iss.net/static/7484.php
http://www.remote-exploit.org/downloads.php

Feel free to contact me directly to discuss.

Taiye Lambo, CISSP
Principal Security Consultant
CyberCops Europe (UK)
Mobile: 07958 430 094


In a message dated Fri, 7 Dec 2001 06:07:24  Greenwich Mean Time, "Stuart" <stuart.hackinfoat_private> writes:

> We've run a pentest against a customer recently and found that the very act
> of port scanning their Raptor firewall (running on NT) crippled its ability
> to accept incoming connections for their web site. The firewall is a new
> high spec PIII and the least line is a decent size. The nmap scans were
> standard timing (not T5 or anything daft) - once the scans were stopped,
> things burst back in to life within about 10minutes.
> 
> This sounds like a lack of available connections type problem (similar to
> SYN flooding) to me. The firewall was running at about 10% CPU usage at the
> time and was not swapping to disk at all, also strangely, internal access
> outbound to the net for web browsing seemed unaffected?
> 
> Its the latest version of Raptor and we're told its fully patched up to
> date.
> 
> Does this ring any bells with anyone? Seems very odd to me... a portscan
> should not cause a DOS by itself...
> 
> 
> thanks
> Stuart
> IT Security Consultant, UK
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Previous message: Alex Butcher (pentest): "Re: Raptor Firewall"
Maybe in reply to: Stuart: "Raptor Firewall"
Next in thread: Mike Shaw: "Re: Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:35:56 PST