Bugtraq mailing list archives
Re: FW-1 DOS attack: PART II
From: lance () SPITZNER NET (Spitzner, Lance)
Date: Sun, 1 Aug 1999 11:23:07 -0500
On Sun, 1 Aug 1999, Ramon Krikken wrote: Ramon, you raise some excellent issues, specifically how FW-1 mangles packets. I have not tested that yet, so I cannot confirm nor deny its validity, however I have heard of this behavior before. Looks like I have a new challenge to play with :) Regardless if FW-1 mangles packets, the issue still remains: If I initiate a connection with an ACK packet, and that session is accepted, it is then added to the connections table with a 3600 second timeout(default), regardless if the remote system responds or not. You now have a dead connection sitting in your state table for the next hour. You can quickly fill your connections table, even by accident, because of this. There are a variety of measures you can take to protect against this, all of which I have detailed in my paper. http://www.enteract.com/~lspitz/fwtable.html 1. Decrease TCP Timeout to 15 minutes. 2. Increase your connections table to 50,000 +. 3. Implement a strict Firewall rulebase. 4. Jason Rhoads is developing a PERL script that monitors your connections table. 5. Enable Fastpath/FastMode (this does have other security implications). Thanks for the great feedback!
This is the correct behaviour for all FW1's. When FW1 receives a !SYN-ACK packet it assumes the packet to be part of an established connection. If the connection was not in the connections table, it will be added, and the packet is mangled (strip data and change tcp seq. nr) and forwarded to the remote host. Whether the connection was valid or not, the destination host would reply, and the FW will drop the connection from the table, or keep it. However, the only way the connection is dropped from the table is when the destination host sends two FIN packets, or the timeout value is reached. Therefore if the destination host is not reachable, it takes a while for the connections to vanish. As far as I understand, the rules don't even have to allow the connection. This is because 'drop' in your ruleset does not mean drop. In order to really drop the mangled packets the action needs to be 'vanish' (which is not configurable through the GUI. Edit the .pf files manually). Note that this is how I understand the workings. I might be incorrect in assuming that this explains the problem. On Thu, Jul 29, 1999 at 09:42:39PM -0500, Spitzner, Lance wrote:Now, if you start a connection with an ACK packet, the FW compares it against the rule base, if allowed it is added to the connections table. However, the timeout is set to 3600 seconds and does not care if a remote system responds. You now have a session with a 1 hour timeout, even though no system responded. Now, do this with alot of ACK packets, and you have full connections table.[SNIP]I would greatly appreciate if anyone could prove/disprove this. Also, FW-1's SynDefender did not protect against this attack.
Lance http://www.enteract.com/~lspitz
Current thread:
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)