Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: asan () ISFNET AD JP (Shin'ichi Asano)
Date: Mon, 2 Aug 1999 00:28:30 +0900
Hello. "Scott, Richard" <Richard.Scott () BESTBUY COM> wrote :
Sure this is the case if you have a rule set that has something like. Let in a packet that is bound to some address range. If I have a rule set that is host based, allowing only a few specific IP address's in the DoS attack is limited?
I agree. Almost sites configured FireWall-1 host based for inbound access. and if machine which have target IP is there, it may return a RST packet for "established packet". Such case, FireWall-1 may not add it to "connections" table. At this point, this DoS is not effective from out side at almost sites. But from inside...... as Lance said. This problem may be due to FireWall-1's "Recover TCP Connection" function. I think this function have been disabled from version 3.0b + some patch( may be 3045 ) for some security reason. About connections table, is there a way for stop this behavior by changing *.def files, or is it kernel function ? --- Shin'ichi Asano ( asan () isfnet ad jp ) "Spitzner, Lance" <lance () SPITZNER NET> wrote :
I would greatly appreciate if you could pass this along. It does a much better job of explaing what the exact problem/DOS is with FW-1. I would like to clarify exactly how the DOS works. Everything I am about to cover is documented in detail at http://www.enteract.com/~lspitz/fwtable.html When you start a TCP connection, you send a SYN packet. When FW-1 filters this packet, it checks it against the rule base, if the session is allowed, it is added to the connections table with a timeout of 60 seconds. When the remote host responds, the session is bumped up to a 3600 second timeout. Now, if you start a connection with an ACK packet, the FW compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. Now, do this with alot of ACK packets, and you have full connections table. Most companies allow http outbound. Run this command as root from an internal system, I give your FW about 10 to 15 minutes. If your internal network is a 10.x.x.x, try 172.16.*.* nmap -sP 10.*.*.* nmap is a very powerful port scanner. With this command it does only a PING and TCP sweep (default port 80), but uses an ACK instead of a SYN. To verify that your connections table is quickly growing, try "fw tab -t connections -s" at 10 second intervals. Tested on ver 4.0 SP3 on Solaris x86 2.6. I would greatly appreciate if anyone could prove/disprove this. Also, FW-1's SynDefender did not protect against this attack. Lance http://www.enteract.com/~lspitz
Current thread:
- Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
- Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
- Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)