Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: nobody () NOWHERE TO (Anonymous)
Date: Wed, 4 Aug 1999 19:00:01 -0000
I have another take on this thread that might also be of interest to those that have been following it since last week. First, kudos to Lance for the excellent documentation of the denial of service condition bought about by the mishandling of ACK packets by FW-1. But: 1) We also now have proof that FW-1 allows ACK stealth scanning. I have successfully replicated the most of the tests and conditions originally reported by Lance. 2) FW-1 will still allow ACK stealth scanning even though the fixes suggested by Lance are correctly implemented. 3) Over time, these ACK scans could generate sufficient data to determine most of the rules in an installed rule set (and any holes that might exist). AFAIK, programs like RealSecure aren't smart enough to pick up this type of scanning strategy, unless it was run rapidly enough (ala strobe) to be detected. NFR might be, but I am still looking into that. What can we do? Unfortunately, looks like we wait for a patch from the boyz at Checkpoint; that might take awhile. In the meantime, I've always some more practice hacking INSPECT... ;-) cheers, sh3p4rd
Current thread:
- Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
- Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
- Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)