Re: FW-1 DOS attack: PART II

[sbirn () SECURITY ORG IL (Steve Birnbaum)]

 ('I
' encoding is not supported, stored as-is)

lance () SPITZNER NET said:
>  I have not tested that yet, so I cannot confirm nor deny its
> validity, however I have heard of this behavior before.  Looks like I
> have a new challenge to play with :)

I tested it some time ago under 3.0b (maybe with some patches added).  They
might have changed it since then, of course.

As someone else has already stated in this thread, when installing a policy
the state table is reset.  So as not to have all existing connections dropped
when this happens, Checkpoint had/have this "feature" that allows ACK packets
in.  It is only supposed to allow ACK packets in that correspond to the
reverse of an outgoing rule.  Therefore, if there is nothing allowed out,
it's not supposed to allow the ACKs in.  If you allow all internal hosts to
access the Internet on all ports, it'll allow in most packets.

The body gets mangled, but I'm not sure about the sequence numbers.

Depending on the response of the internal host the connection will be added
to the state table.

  Steve

--
Steve Birnbaum  -  sbirn () security org il      (PGP key available)

<!-- attachment="bin0a04083" -->
<HR>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>