Re: Raptor Firewall

From: Erik Parker (eparkerat_private)
Date: Fri Dec 07 2001 - 13:45:34 PST

Next message: Adrien de Beaupre: "Re: Writing to Windows Security Log"

Previous message: Slighter, Tim: "RE: Command line network sniffing tools on NT/W2K"
In reply to: Stuart: "Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Was the unit still returning packets or did the actual scan it self end up
failing? I've scanned Raptor firewalls before and have not seen this
behavior, but it could also be very dependent on their specific ruleset.
We were scanning an IP that was also used for SNAT at all?

Nothing in the logs at all? Also, when you were testing if you could get
to the site, during the scan, was it from the same machine, or other
location as well as customer reported?

Were you able to sniff and see if the packets were passing through the
firewall at all, and getting to the web server?

S> We've run a pentest against a customer recently and found that the very act
S> of port scanning their Raptor firewall (running on NT) crippled its ability
S> to accept incoming connections for their web site. The firewall is a new
S> high spec PIII and the least line is a decent size. The nmap scans were
S> standard timing (not T5 or anything daft) - once the scans were stopped,
S> things burst back in to life within about 10minutes.
S>
S> This sounds like a lack of available connections type problem (similar to
S> SYN flooding) to me. The firewall was running at about 10% CPU usage at the
S> time and was not swapping to disk at all, also strangely, internal access
S> outbound to the net for web browsing seemed unaffected?
S>
S> Its the latest version of Raptor and we're told its fully patched up to
S> date.
S>
S> Does this ring any bells with anyone? Seems very odd to me... a portscan
S> should not cause a DOS by itself...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwROIAACgkQr8DeRYtXr+IWOwCeN+Bo9hBs7rWKWsdw+0uGXYHz
ergAn0BNqu8HHooez8yR4SUQlwlZpClj
=3r/d
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Adrien de Beaupre: "Re: Writing to Windows Security Log"
Previous message: Slighter, Tim: "RE: Command line network sniffing tools on NT/W2K"
In reply to: Stuart: "Raptor Firewall"
Next in thread: Brass, Phil (ISS Atlanta): "RE: Writing to Windows Security Log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 13:48:44 PST