Bugtraq mailing list archives

Regarding the reported DOS against the internal interface of a

From: RapidResponse () WATCHGUARD COM (WatchGuard Rapid Response)
Date: Wed, 4 Nov 1998 13:14:28 -0800


Last Friday ( Oct 30,  1998 ) a message was posted to Bugtraq describing
a Denial of Service Attack against the WatchGuard FireBox II. The
poster, Sr. Matias Ruiz, described how he had caused a FireBox II to
crash during a "Pepsi" attack launched against the trusted interface
from the trusted network.  When the WatchGuard Rapid Response Team saw
the post,  we began trying to contact Sr. Ruiz and to duplicate the
exploit.
To date,  we have been unsucessful contacting Sr. Ruiz.  We have
completed our testing of the Firebox II and have been unsuccessful in
duplicating the results that Sr. Ruiz has described in his post.  We
believe that the Firebox II running the currently shipping version of
the software is not vulnerable to the attack as it was described.

To more fully understand the ramifications of this class of attack
against the WatchGuard Security System  we extended the parameters of
our testing to include simultaneous Pepsi, New-Pep and Ping-flooding
from multiple sources on both a 100 MB Ethernet segment and a 10 MB
Ethernet segment.  These attacks were run against the trusted interface
from the trusted network on both the Firebox II, and the Firebox 100.
Our results are as follows:

1) The FB II running the currently shipping version of the software,
(Version 3.1) operated normally during the test on both the 10 and 100
MB segments

2) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A)  operated normally during the test on the 10 MB
segment

3) The FB 100 running the currently shipping version of the software,
(Version 3.0 Rev.A) did suffer a gradual degradation of performance on a
100MB segment leading to a reboot after 30 Min. of continuous flooding.
At no time was the test platform "disarmed".

As a practical matter, the behavior observed in test case 3 (above)  is
a highly anomalous and easily traceable traffic pattern,  the impact of
which can be mitigated by a few simple configuration changes.  Contact
WatchGuard Technical Support if you have any questions.

In the absence of any further information from Sr. Ruiz, we believe that
his report of a vulnerability in the FireBox II is in error.


WatchGuard Rapid Response Team

Current thread:

X11 cookie hijacker Pavel Kankovsky (Nov 02)
- SSHD Exploit Justin Foutts (Nov 01)
- ISS Security Advisory: BMC PATROL File Creation Vulnerability X-Force (Nov 02)
- Re: X11 cookie hijacker David Dawes (Nov 02)
  - Re: X11 cookie hijacker Alan Cox (Nov 03)
  - Re: X11 cookie hijacker Olaf Kirch (Nov 05)
- [rootshell] Security Bulletin #25 Aleph One (Nov 03)
- Re: X11 cookie hijacker Willy TARREAU (Nov 04)
- Re: X11 cookie hijacker Casper Dik (Nov 04)
- <Possible follow-ups>
- Re: X11 cookie hijacker der Mouse (Nov 04)
  - Regarding the reported DOS against the internal interface of a WatchGuard Rapid Response (Nov 04)
  - IE 4.x does not appear to save custom security settings John Schultz (Nov 04)
  - Re: X11 cookie hijacker David Dawes (Nov 04)
  - xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 04)
    - Making xlock setuid root Stefan Rompf (Nov 06)