Bugtraq mailing list archives
Re: FW-1 DOS attack: PART II
From: sbirn () SECURITY ORG IL (Steve Birnbaum)
Date: Tue, 3 Aug 1999 23:22:02 -0400
('I' encoding is not supported, stored as-is) lance () SPITZNER NET said:
I have not tested that yet, so I cannot confirm nor deny its validity, however I have heard of this behavior before. Looks like I have a new challenge to play with :)
I tested it some time ago under 3.0b (maybe with some patches added). They might have changed it since then, of course. As someone else has already stated in this thread, when installing a policy the state table is reset. So as not to have all existing connections dropped when this happens, Checkpoint had/have this "feature" that allows ACK packets in. It is only supposed to allow ACK packets in that correspond to the reverse of an outgoing rule. Therefore, if there is nothing allowed out, it's not supposed to allow the ACKs in. If you allow all internal hosts to access the Internet on all ports, it'll allow in most packets. The body gets mangled, but I'm not sure about the sequence numbers. Depending on the response of the internal host the connection will be added to the state table. Steve -- Steve Birnbaum - sbirn () security org il (PGP key available) <!-- attachment="bin0a04083" --> <HR> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)