Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: cbrenton () SOVER NET (Chris Brenton)
Date: Sat, 31 Jul 1999 21:52:42 -0400
"Scott, Richard" wrote:
Sure this is the case if you have a rule set that has something like. Let in a packet that is bound to some address range. If I have a rule set that is host based, allowing only a few specific IP address's in the DoS attack is limited?
True, but all an attacker has to do is DoS a legitimate server (say IIS, pick your favorite vulnerability ;) which sits behind the firewall and is accessible from the Internet. Once the machine stops responding, the firewall is a sitting target as I now have an inbound "allow" rule to an IP address which is not responding (the attack does not require full subnet scanning). DoS mode is achievable which takes out all inbound and outbound traffic.
Increasing the size of the connections allowed in the table may only reduce the possibility of the attack. Why not increase the number such that it is greater than what your bandwidth can handle (advocated by firewall people here).
Not that easy to do. The default TCP time out is one hour. You can adjust this lower, but by doing so you run the risk of breaking FTP which relies on this time out to keep the command session active during large file transfers. This means that you can easily DoS a firewall sitting on the other end of a 56K connection even if you double the size of the state table. Its the same type of problem you encounter when trying to modify your systems to be immune to SYN attacks. Also, this is not just a Firewall-1 thing. _Any_ firewall device which attempts to maintain state is going to have similar problems. Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
- Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
- Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)