Re: Simple DOS attack on FW-1

[Olaf.Selke () MEDIAWAYS NET (Olaf Selke)]

According to Lance Spitzner:
> Any malicious black-hat or disgruntled employee can fill
> your connections table.  Many organiztion allow all
> outbound traffic.  Someone can simply scan a non-existant
> target outbound and fill the connections table.  They
> even can be sneaky about it and use nmap with the'-D'
> option, so someone else gets blamed for the scanning activity.
>
> The main reason I consider this 'exploit' dangerous, is not only
> is it easy for any black-hat to do, but it is very easy for you

unfortunately there is an easy way to exploit this from the
outside. By default each FireWall-1 accepts connections to its
own port 256/tcp from the entire Internet. This feature can be
turned off in the gui's control properties but usually it isn't:

Taken from Phoneboy's FAQ, http://www.phoneboy.com/

TCP Port 256 is used for three important things:
- Exchange of CA and DH keys in FWZ and SKIP encryption
  between two FireWall-1 Management Consoles
- A SecuRemote Client uses this port to fetch the network topology
  and encryption key from a FireWall-1 Management Console
- When instaling a policy, the management console uses this port
  to push the policy to the remote firewall.

This means a misguided individual may trash the FireWall-1 connection
table even from the outside by sending syn packets to firewall's port
256/tcp with random addresses as source. The firewall will reply with
syn|ack packets to these non existing addresses, placing these
connections in it's state table.

I've tested this with the most recent FireWall-1 Version 4.0 Build 4064 [VPN + DES]
on Sun Solaris 2.6 and and some pretty old Linux based synflood tool published
in the Phrack magazine two years ago.

Olaf

--
Olaf Selke, olaf.selke () mediaways net, voice +49 5241 80-7069