('binary' encoding is not supported, stored as-is) Hi, last year I reported a denial of service to Firewall-1 : flooding on port 264 ( fw1_topo ). Check Point was not able to reproduce this attack so they never recognise it as a real problem. Now, many security concerned sites have this behaviour in their firewalls bug lists. You can stop this attack if you manually create all the rules and limit the acces to this port ( 264 ) only to clients that need it. But there was a special situation : a firewall that accepts connections to fw1_topo with ANY as source to allow Securemote connections with a dinamic IP address... For this D.o.S. to success you needed a fast link so the only real scenario was to attack from the internal network. Probably, too many requisites needed,...OK. So, what If I am an external attacker ? I can build a trojan and mail it to some internal user of the target network. The trojan will send packets to some external IP, to force them to pass trough the Firewall-1. This time, we do not need to know the Firewall IP , we only send a lot of packets to port 80 with the SYN flag. Simply, rude but effective. My tests always finish with the firewall completely frozen. The firewall machine is a Professional Win2000, PII 350 with 320 MB. Link is a 10 MB ethernet. The software used is ippacket. Now the packet we build is : -source : valid internal IP ( does not matter ) -dest : external IP -source port : 10000 ( does not matter ) -dest port : 80 ( probably the firewall rules accept it ) -flags : SYN -mode : -1 ( continuous mode ) In the case of Microsoft ISA Server I have been trying some types of packets to flood it, and the one it seems to frooze the firewall is this ( land ): -source : internal ISA IP -dest : internal ISA IP -source port : 8080 -dest port : 8080 -flags : SYN -mode : -1 ( continuous mode ) And the ISA stops responding : clients will not be able to surf the web, ISA machine does not respond ( CRTL + ALT + SUP does not work ), ... This tests has been done with an ISA configured with http proxy on port 8080 on a Win2000 Server. Generally, I think is not difficult to smash a firewall if you are on the local network. You only have to find wich packets will force the forwarding/filtering device to work hard : if the firewall uses proxies, some kind of authentication, some statefull inspection, etc, then it is an easy job. Now, it seems that old packet filters are more efective on defending this attacks, since they do not do a deep inspect... So, is this a general flaw on modern firewalls ? Are they unable to manage large ammount of connections requests ? Bad guys are not only in the wild, they can be in your network, or they can begin an attack from your internal network with a trojan. Please I would agree some feedback. Hugo Vázquez Caramés Security Consultant Barcelona SPAIN
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 09:02:58 PST