Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ACK Dos Attack

From: oscar.wahlberg () CONNECTA SE (Oscar Wahlberg)
Date: Wed, 11 Aug 1999 11:25:12 +0200

aleph,

Forwarding Checkpoints response to the recent DoS discussions.
They've developed INSPECT code to handle the ACK-DoS.
The code in the announcement might have compilation problems, but the url
contains compilable code.

----- Forwarded from Check Point Support <cpsuppor () ts checkpoint com> -----

From: "Check Point Support" <cpsuppor () ts checkpoint com>
To: <fw-1-mailinglist () lists us checkpoint com>
Subject: [FW1] ACK Dos Attack
Date: Tue, 10 Aug 1999 23:27:36 -0500
Message-ID: <000f01bee3b1$d6bed620$ad542bcf () rbrannoc ts checkpoint com>
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0

This message is a follow up to the Check Point response to the ACK DOS
attack posted last week.  Check Point has developed INSPECT code changes
that provides a solution for this type of attack.  This code change enables
Check Point gateways to drop non-first TCP packets instead of matching the
rule base.  It should be noted that this INSPECT fix will cause a change of
behavior from the existing Check Point gateway behavior in the following
way: following a reboot, policy unload or stopping the firewall, all active
TCP connections will be blocked, and that any timed out TCP connections
(i.e., connections that have been inactive longer than the TCP timeout) will
be disconnected. The ability for FireWall-1/VPN-1 to maintain connections
after policy reload will not be affected by this change.

For those with UNMODIFIED $FWDIR/lib/code.def files, you can go to the Check
Point web site and download Check Point updated files (go to:
http://www.checkpoint.com/techsupport/alerts/ackdos.html).  Another option
is to edit the code.def files as described below.

Check Point 4.0-based Installations:
The following INSPECT code (between the two lines starting with "-----")
should be added to the $FWDIR/lib/code.def file (at the end of the file,
just before the #endif statement).  NOTE: if you are managing V3.0 modules,
using the 4.0 backwards compatibility feature, please make the changes to
the V3.0 code.def file (located in $FWDIR/lib30), as described in the "Check
Point 3.0-based Installations".  After completing the edit, re-install the
security policy.  For 4.0-based installations, this code will also log these
events.

----- 4.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
                tcp, first or <conn> in old_connections or

#ifndef NO_NONFIRST_RULEBASE_MATCH_LOG

                        <ip_p,src,dst,sport,dport,0> in logged
                ) or

                        record <ip_p,src,dst,sport,dport,0> in logged,
                        set sr10 12, set sr11 0, set sr12 0, set sr1 0,
                        log bad_conn
                ) or 1,
#endif
                vanish
                );
#endif
----- End of 4.0 insert -----

Check Point 3.0-based Installations:
The following INSPECT code (between the two lines starting with "-----")
should be added to the $FWDIR/lib/code.def file (at the end of the file,
just before the #endif statement).  After completing the edit, re-install
the security policy.

----- 3.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
        tcp, first or <conn> in old_connections or vanish;
#endif
----- End of 3.0 insert -----

Thank you,

Check Point Support

----- End forwarded message -----


--
Oscar Wahlberg <oscar.wahlberg () connecta se>
phone: +46-(0)708-44 55 63  fax: +46-(0)708-44 55 74
Previous By Date Next
Previous By Thread Next

Current thread: