Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Flood ACK packets cause an IBM SecureWay FireWall DoS

From: Mauro Flores <maflores () antel com uy>
Date: 09 Oct 2002 10:42:34 -0300
---------------------------------------------------------------------------
Title: Flood ACK packets cause an IBM SecureWay FireWall DoS.

Released: 9th Oct 2002
---------------------------------------------------------------------------

Vulnerable:
===========
- SecureWay 4.2.x on AIX

Overview:
=========
        SecureWay is a robust FireWall product developed by IBM who works over AIX
an Windows plataform. Is not a full fledged stateful packet filter, but more
like a stateful-inspection with connection-centric deterministic-filtering firewall.

There exists an stack problem with malformed TCP packets that can lead 
SecureWay to a DoS condition. To reach this condition a big band width is require.

Details:
========
When an all zeroed flags TCP packets is sent to the SecureWay FireWall, this 
recognize the invalid packet only after a lot of procesing has been done. Because
of this, a flood of this forged packeges consumes a lot of resources and can lead
the IBM SecureWay FireWall to a deny of services condition.

To reach the DoS condition the flood must be over 2.8 Mbps, so this is more a
DDoS attack.

On servers running SecureWay, the standar AIX fix does not work.

Vendor Response:
================
IBM was contacted on July 14, 2002. The vendedor confirm the problem and release 
a fix.

Corrective Action:
==================
Update to SecureWay Firewall 4.2.2 version or install APAR IR49046. 
ftp://testcase.software.ibm.com/aix/fromibm/firewall/fwaixfilter4_421d*

Vulnerability Reporting Policy:
===============================
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt


Author: Mauro Flores (maflores () antel com uy)
        Guillermo Freire (gfreire () antel com uy)

---------------------------------------------------------------------------
ANTel is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall ANTel be
liable for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: