Just increase the size of the statetable, which you should
have done when sizing the links going into your firewall.
e.g.:
Checkpoint: Check phoneboy for the table size poke.
Pix: *never* enter nat/static translations without
specifying max embronic/setup connections.
Problem solved ("RTFM" and "THINK")
Dom
|-----Original Message-----
|From: overclocking_a_la_abuelaat_private
|[mailto:overclocking_a_la_abuelaat_private]
|Sent: Sunday, February 17, 2002 3:18 PM
|To: vuln-devat_private
|Subject: Firewall-1 and ISA D.o.S.
|
|
|
|
|Hi,
|
|last year I reported a denial of service to
|Firewall-1 : flooding on port 264 ( fw1_topo ).
|Check Point was not able to reproduce this attack
|so they never recognise it as a real problem. Now,
|many security concerned sites have this behaviour
|in their firewalls bug lists.
|You can stop this attack if you manually create
|all the rules and limit the acces to this port (
|264 ) only to clients that need it. But there was
|a special situation : a firewall that accepts
|connections to fw1_topo with ANY as source to
|allow Securemote connections with a dinamic IP
|address...
|For this D.o.S. to success you needed a fast link
|so the only real scenario was to attack from the
|internal network.
|Probably, too many requisites needed,...OK.
|
|So, what If I am an external attacker ?
|I can build a trojan and mail it to some internal
|user of the target network. The trojan will send
|packets to some external IP, to force them to pass
|trough the Firewall-1. This time, we do not need
|to know the Firewall IP , we only send a lot of
|packets to port 80 with the SYN flag. Simply, rude
|but effective. My tests always finish with the
|firewall completely frozen.
|The firewall machine is a Professional Win2000,
|PII 350 with 320 MB. Link is a 10 MB ethernet.
|The software used is ippacket. Now the packet we
|build is :
|
|-source : valid internal IP ( does not matter )
|-dest : external IP
|-source port : 10000 ( does not matter )
|-dest port : 80 ( probably the firewall rules
|accept it )
|-flags : SYN
|-mode : -1 ( continuous mode )
|
|In the case of Microsoft ISA Server I have been
|trying some types of packets to flood it, and the
|one it seems to frooze the firewall is this ( land
|):
|
|-source : internal ISA IP
|-dest : internal ISA IP
|-source port : 8080
|-dest port : 8080
|-flags : SYN
|-mode : -1 ( continuous mode )
|
|And the ISA stops responding : clients will not be
|able to surf the web, ISA machine does not
|respond ( CRTL + ALT + SUP does not work ), ...
|This tests has been done with an ISA configured
|with http proxy on port 8080 on a Win2000 Server.
|
|Generally, I think is not difficult to smash a
|firewall if you are on the local network. You only
|have to find wich packets will force the
|forwarding/filtering device to work hard : if the
|firewall uses proxies, some kind of
|authentication, some statefull inspection, etc,
|then it is an easy job. Now, it seems that old
|packet filters are more efective on defending this
|attacks, since they do not do a deep inspect...
|
|So, is this a general flaw on modern firewalls ?
|Are they unable to manage large ammount of
|connections requests ?
|Bad guys are not only in the wild, they can be in
|your network, or they can begin an attack from
|your internal network with a trojan.
|Please I would agree some feedback.
|
|Hugo Vzquez Carams
|Security Consultant
|Barcelona
|SPAIN
|
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 20:35:45 PST