Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: Olaf.Selke () MEDIAWAYS NET (Olaf Selke)
Date: Sun, 1 Aug 1999 22:42:01 +0200
According to Lance Spitzner:
Any malicious black-hat or disgruntled employee can fill your connections table. Many organiztion allow all outbound traffic. Someone can simply scan a non-existant target outbound and fill the connections table. They even can be sneaky about it and use nmap with the'-D' option, so someone else gets blamed for the scanning activity. The main reason I consider this 'exploit' dangerous, is not only is it easy for any black-hat to do, but it is very easy for you
unfortunately there is an easy way to exploit this from the outside. By default each FireWall-1 accepts connections to its own port 256/tcp from the entire Internet. This feature can be turned off in the gui's control properties but usually it isn't: Taken from Phoneboy's FAQ, http://www.phoneboy.com/ TCP Port 256 is used for three important things: - Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles - A SecuRemote Client uses this port to fetch the network topology and encryption key from a FireWall-1 Management Console - When instaling a policy, the management console uses this port to push the policy to the remote firewall. This means a misguided individual may trash the FireWall-1 connection table even from the outside by sending syn packets to firewall's port 256/tcp with random addresses as source. The firewall will reply with syn|ack packets to these non existing addresses, placing these connections in it's state table. I've tested this with the most recent FireWall-1 Version 4.0 Build 4064 [VPN + DES] on Sun Solaris 2.6 and and some pretty old Linux based synflood tool published in the Phrack magazine two years ago. Olaf -- Olaf Selke, olaf.selke () mediaways net, voice +49 5241 80-7069
Current thread:
- Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
- Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
- Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)