Bugtraq mailing list archives

Re: NT DoS on FW-1

From: hargett () WINTERMUTE CITYSCAPE NET (Matt Hargett)
Date: Sun, 21 Feb 1999 17:43:44 -0600

This issue can be fixed by simply implementing a stealthing rule on the
firewall itself. The problem is in NT's stack, not the FireWalls.

Jamie Thain wrote:

Timothy,

I was running nmap against a client's Checkpoint FW-1
when they called to inform me that it had crashed.  I
was not on site so unfortunately I have little
details.


I have seen this befor where a high speed port scanner running against

FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on
Sun. You may want to check and make sure you have the most recent

patch

level. That information is on the FW-1 site.

I DO know that they were running it on a NT
box and it was behind a Cisco 3640.


I have done a bit of testing using nmap against NT 4.0 with
SP4. My findings were that plain NT 4.0 SP4 doesn't
crash/behave erratically by itself with the many instances of nmap
options that I tried. Certainly not a simple SYN scan with OS
fingerprinting.

What exactly is the problem in NT's stack and how exactly can you measure
it's adverse reaction? I was looking under task manager at the nonpaged
kernel memory, process, thread, and handle counts.


-----------------------------------------
Matt Hargett
http://www.cityscape.net/~hargett
matt () use net

sex on the TV, everybody's at it
and the mind gets dirty
as you get closer
to thirty

Current thread:

Re: NT DoS on FW-1 Malikai (Feb 15)
- Canc0n99/2k HWA Staff (Feb 16)
- Quake client killer Tim Fletcher (Feb 16)
  - Quakeworld client killer followup Tim Fletcher (Feb 18)
- Re: NT DoS on FW-1 cbrenton (Feb 16)
- <Possible follow-ups>
- Re: NT DoS on FW-1 Matt Hargett (Feb 21)