Vulnerability Development mailing list archives
RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
From: Yanek Korff <yanek () cigital com>
Date: Wed, 14 Nov 2001 11:27:48 -0500
Checkpoint does crash when being portscanned. Well, sort of. Quite simply, when a (stateful) firewall, has too many entries in the state table (IE it's full) then the box has problems. In the case of checkpoint (or at least, this was the case a few versions ago) it will crash. (And incidentally, if you are synchronising the state table with another firewall for the purposes of failover, thenthey'll both crash). IIRC about 25000 connections will do this (less if you are using NAT) Checkpoint also holds the 'state entries' for 50 seconds after the connection is closed (IE FIN packets are seen), so you have a while to reach the magic number. My experience was with a Nokia IP440/Checkpoint Firewall-4.1SP3, but it sounds as if the same situation may be occuring.
Unfortunately, I don't think this is the case. If a table were being filled up, I'd expect the FW to stay up for some period of time before eventually crashing. Here are some relevant facts: 1. Linux FW crashes -immediately- before it has the opportunity to log a udp packet with tcpdump 2. Scans complete successfully against NT 4.0 and Solaris-x86 -Yanek.
Current thread:
- kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Yanek Korff (Nov 14)
- Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Blue Boar (Nov 14)
- Fw: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Scott Walker Register (Nov 14)
- <Possible follow-ups>
- Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 ed . rolison (Nov 14)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Yanek Korff (Nov 14)
- Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Olaf Kirch (Nov 14)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Yanek Korff (Nov 14)
- Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Blue Boar (Nov 14)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Yanek Korff (Nov 14)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Yanek Korff (Nov 19)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Scott Walker Register (Nov 27)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Ron DuFresne (Nov 27)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Scott Walker Register (Nov 27)
- RE: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 Scott Walker Register (Nov 27)