Just increase the size of the statetable, which you should have done when sizing the links going into your firewall. e.g.: Checkpoint: Check phoneboy for the table size poke. Pix: *never* enter nat/static translations without specifying max embronic/setup connections. Problem solved ("RTFM" and "THINK") Dom |-----Original Message----- |From: overclocking_a_la_abuelaat_private |[mailto:overclocking_a_la_abuelaat_private] |Sent: Sunday, February 17, 2002 3:18 PM |To: vuln-devat_private |Subject: Firewall-1 and ISA D.o.S. | | | | |Hi, | |last year I reported a denial of service to |Firewall-1 : flooding on port 264 ( fw1_topo ). |Check Point was not able to reproduce this attack |so they never recognise it as a real problem. Now, |many security concerned sites have this behaviour |in their firewalls bug lists. |You can stop this attack if you manually create |all the rules and limit the acces to this port ( |264 ) only to clients that need it. But there was |a special situation : a firewall that accepts |connections to fw1_topo with ANY as source to |allow Securemote connections with a dinamic IP |address... |For this D.o.S. to success you needed a fast link |so the only real scenario was to attack from the |internal network. |Probably, too many requisites needed,...OK. | |So, what If I am an external attacker ? |I can build a trojan and mail it to some internal |user of the target network. The trojan will send |packets to some external IP, to force them to pass |trough the Firewall-1. This time, we do not need |to know the Firewall IP , we only send a lot of |packets to port 80 with the SYN flag. Simply, rude |but effective. My tests always finish with the |firewall completely frozen. |The firewall machine is a Professional Win2000, |PII 350 with 320 MB. Link is a 10 MB ethernet. |The software used is ippacket. Now the packet we |build is : | |-source : valid internal IP ( does not matter ) |-dest : external IP |-source port : 10000 ( does not matter ) |-dest port : 80 ( probably the firewall rules |accept it ) |-flags : SYN |-mode : -1 ( continuous mode ) | |In the case of Microsoft ISA Server I have been |trying some types of packets to flood it, and the |one it seems to frooze the firewall is this ( land |): | |-source : internal ISA IP |-dest : internal ISA IP |-source port : 8080 |-dest port : 8080 |-flags : SYN |-mode : -1 ( continuous mode ) | |And the ISA stops responding : clients will not be |able to surf the web, ISA machine does not |respond ( CRTL + ALT + SUP does not work ), ... |This tests has been done with an ISA configured |with http proxy on port 8080 on a Win2000 Server. | |Generally, I think is not difficult to smash a |firewall if you are on the local network. You only |have to find wich packets will force the |forwarding/filtering device to work hard : if the |firewall uses proxies, some kind of |authentication, some statefull inspection, etc, |then it is an easy job. Now, it seems that old |packet filters are more efective on defending this |attacks, since they do not do a deep inspect... | |So, is this a general flaw on modern firewalls ? |Are they unable to manage large ammount of |connections requests ? |Bad guys are not only in the wild, they can be in |your network, or they can begin an attack from |your internal network with a trojan. |Please I would agree some feedback. | |Hugo Vzquez Carams |Security Consultant |Barcelona |SPAIN |
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 20:35:45 PST