NetScreen Response to ScreenOS Port Scan DoS Vulnerability

[Mike Kouri <mkouri () netscreen com>]

In reference to your recent posting regarding NetScreen's "ScreenOS Port
Scan DoS Vulnerability" you will find attached our response. Please feel
free to contact me directly if you have any further questions regarding this
issue.

Mike Kouri
Senior Product Manager, ScreenOS
NetScreen Technologies, Inc. 
350 Oakmead Parkway, mailstop 500
Sunnyvale, California 94085
408-730-6206 

=-=-=-=-=-=-=-=-=-=-

February 5, 2002

NetScreen Response to:

"NetScreen ScreenOS Port Scan DoS Vulnerability" 

This issue was reported to NetScreen on February 1, 2002 and simultaneously
reported to BugTraq () SecurityFocus com (visible as
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=4015),
and SecurityTracker.com
(http://securitytracker.com/alerts/2002/Feb/1003421.html), among others. 

The reported issue involves the initiation of a Port Scan against a host
reachable via the "Untrust" interface from or by a user attached to the
"Trust" interface of a NetScreen device, and potentially consuming all
available sessions resulting in a denial of service attack against the
"Trusted" network. 

If a port scan were initiated against a host that responded to the scans
(with either ICMP unreachable or RST), the NetScreen device would
immediately close each of the sessions established during the port scan,
making them available for reuse. ScreenOS has a default session inactivity
timeout of 30 minutes.  Both pre-defined and custom services can be adjusted
in timeout value from 1 minute to 2 days.  After waiting the default 30
minutes (or the length of time the administrator adjusted the time interval
to), port scans to the unresponsive host will time out and the session
entries in the NetScreen device will be cleared for reuse.  

This problem can occur more quickly on NetScreen devices that have smaller
session tables. For example, the NetScreen-5XP has a maximum of 2,048
sessions, and the NetScreen-1000 has a maximum of 500,000 sessions.
Obviously, the session table on a NetScreen-5XP will be consumed faster than
on a NetScreen-1000. 

NetScreen released new features that addressed this issue in several manners
beginning in September 2001. One feature called Source IP Session
Thresholding can be used to mitigate the likelihood of this issue arising in
the first place.  This feature was introduced as a CLI command in ScreenOS
version 2.6.1r2, and has been incorporated into the WebUI starting with
ScreenOS version 3.0.  

The command

set firewall session-threshold source-ip-based [num]

limits any one source IP from the trusted side to [num] number of concurrent
sessions.  Since the NetScreen-5XP can support 2,048 concurrent sessions,
NetScreen recommends the higher of the following two numbers as a starting
point:  100, or 2048/n where "n" is the number of systems on the "Trust"
side network.  Administrators are advised to check their flow counters to
see if that's an acceptable number, and modify accordingly.

Next, releases of ScreenOS 3.0.0 and later allow the administrator to
forcibly clear sessions based on characteristics of those sessions such as
source IP address, destination IP address, source port, destination port,
source MAC address, and/or destination MAC address.
 
For example, the command

clear session dst-ip <a.b.c.d>

will clear all active sessions to destination IP address a.b.c.d from the
NetScreen active session table. This command can be used to recover from a
wild port scan without waiting for all sessions to age out or without
resetting the NetScreen device.

Lastly, ScreenOS 3.1.0 and later allow the administrator to enable firewall
protections, including port scan protections, on any interface. 

NetScreen recommends all customers to upgrade to the latest version of
ScreenOS supported by their hardware and then to enable one or all of the
above features to minimize the likelihood of being affected by this issue.

The latest currently available versions of ScreenOS at the time of this
writing for each NetScreen device are:

Hardware                ScreenOS release
NetScreen-5                     2.6.1r6
NetScreen-5XP           3.0.1r1
NetScreen-10            3.0.1r1
NetScreen-25            3.0.0r1
NetScreen-50            3.0.0r1
NetScreen-100           3.0.1r1
NetScreen-204           3.1.0r1
NetScreen-208           3.1.0r1
NetScreen-500           3.1.0r1
NetScreen-1000          2.8.0r1