Re: Simple DOS attack on FW-1

[asan () ISFNET AD JP (Shin'ichi Asano)]

Hello.

"Scott, Richard" <Richard.Scott () BESTBUY COM> wrote  :

> Sure this is the case if you have a rule set that has something like.  Let
> in a packet that is bound to some address range.
> If I have a rule set that is host based, allowing only a few specific IP
> address's in the DoS attack is limited?

I agree.

 Almost sites configured FireWall-1 host based for inbound access.
and if machine which have target IP is there, it may return a RST
packet for "established packet". Such case, FireWall-1 may not add
it to "connections" table.

At this point, this DoS is not effective from out side at almost
sites. But from inside......  as Lance said.

This problem may be due to FireWall-1's "Recover TCP Connection"
function.

I think this function have been disabled from version 3.0b + some
patch( may be 3045 ) for some security reason.

About connections table, is there a way for stop this behavior by
changing *.def files, or is it kernel function ?

---
Shin'ichi Asano ( asan () isfnet ad jp )

"Spitzner, Lance" <lance () SPITZNER NET> wrote  :

> I would greatly appreciate if you could pass this along.
> It does a much better job of explaing what the exact
> problem/DOS is with FW-1.
>
> I would like to clarify exactly how the DOS works.
> Everything I am about to cover is documented in
> detail at
> http://www.enteract.com/~lspitz/fwtable.html
>
> When you start a TCP connection, you send a SYN packet.
> When FW-1 filters this packet, it checks it against the rule
> base, if the session is allowed, it is added to the
> connections table with a timeout of 60 seconds.  When the
> remote host responds, the session is bumped up to a 3600
> second timeout.
>
> Now, if you start a connection with an ACK packet, the FW
> compares it against the rule base, if allowed it is added
> to the connections table.  However, the timeout is set to
> 3600 seconds and does not care if a remote system
> responds.  You now have a session with a 1 hour timeout,
> even though no system responded.  Now, do this with alot
> of ACK packets, and you have full connections table.
>
> Most companies allow http outbound.  Run this command
> as root from an internal system, I give your FW about 10
> to 15 minutes. If your internal network is a 10.x.x.x,
> try 172.16.*.*
>
> nmap -sP 10.*.*.*
>
> nmap is a very powerful port scanner.  With this command
> it does only a PING and TCP sweep (default port 80), but
> uses an ACK instead of a SYN.
>
> To verify that your connections table is quickly growing,
> try "fw tab -t connections -s" at 10 second intervals.
>
> Tested on ver 4.0 SP3 on Solaris x86 2.6.
>
> I would greatly appreciate if anyone could prove/disprove
> this. Also, FW-1's SynDefender did not protect against this
> attack.
>
> Lance
> http://www.enteract.com/~lspitz