Re: Simple DOS attack on FW-1

[cbrenton () SOVER NET (Chris Brenton)]

"Scott, Richard" wrote:
> Sure this is the case if you have a rule set that has something like.  Let
> in a packet that is bound to some address range.
> If I have a rule set that is host based, allowing only a few specific IP
> address's in the DoS attack is limited?

True, but all an attacker has to do is DoS a legitimate server (say IIS,
pick your favorite vulnerability ;) which sits behind the firewall and
is accessible from the Internet. Once the machine stops responding, the
firewall is a sitting target as I now have an inbound "allow" rule to an
IP address which is not responding (the attack does not require full
subnet scanning). DoS mode is achievable which takes out all inbound and
outbound traffic.

> Increasing the size of the connections allowed in the table may only reduce
> the possibility of the attack.  Why not increase the number such that it is
> greater than what your bandwidth can handle (advocated by firewall people
> here).

Not that easy to do. The default TCP time out is one hour. You can
adjust this lower, but by doing so you run the risk of breaking FTP
which relies on this time out to keep the command session active during
large file transfers. This means that you can easily DoS a firewall
sitting on the other end of a 56K connection even if you double the size
of the state table. Its the same type of problem you encounter when
trying to modify your systems to be immune to SYN attacks.

Also, this is not just a Firewall-1 thing. _Any_ firewall device which
attempts to maintain state is going to have similar problems.

Cheers,
Chris

--
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet