Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: spitzner () DIMENSION NET (Lance Spitzner)
Date: Sun, 1 Aug 1999 00:42:13 -0400
On Fri, 30 Jul 1999, Scott, Richard wrote:
Sure this is the case if you have a rule set that has something like. Let in a packet that is bound to some address range. If I have a rule set that is host based, allowing only a few specific IP address's in the DoS attack is limited?
Very true, the more strict the rulebase, the better. However, most rulebases are very lenient for outbound traffic. Many Firewalls let any internal system go anywhere on port 80, allowing company employees external access to the world wide web. This DOS attack is based more on an internal threat. However, it is easy for an admin to accidently set of this DOS by doing a simple port scan from the inside. That is how I discovered this DOS, by accidently shooting myself in the foot. I received various emails from admins stating that they had problems with their firewalls, and now realize they had DOSed themselves.
Increasing the size of the connections allowed in the table may only reduce the possibility of the attack. Why not increase the number such that it is greater than what your bandwidth can handle (advocated by firewall people here).
Check point Firewall-1 can only be increased so much. I believe the max is around 50,000 +, but I have not tested/verified this. For additional solutions to this issue, I recommend reviewing my website, as I updated it tonight. http://www.enteract.com/~lspitz/fwtable.html Thanks for the input! Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
- Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
- Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)