Bugtraq mailing list archives
Re: FW-1 DOS attack: PART II
From: Sean_Boyle () MENTORG COM (Sean Boyle)
Date: Mon, 2 Aug 1999 09:21:47 -0700
I ran into a similar problem. The connections table has a configurable limit, but the xlation table doesn't (FW-1 3.x). Someone in Rumania (I *think* it was) evidently was unhappy with his ISP, so he sent out a virus which would cause the infected machine to spawn a zillion half-open connections to the ISP. For a FW-1 system running NAT, it would cause a DOS when the xlate table filled. It has a hard limit of 25000. Like many others here, I wrote a perl script to dump the xlation table, count the slots for a given machine and sorted it, allowing me to find the culprit. According to Symantec, it is a relatively uncommon virus. "Spitzner, Lance" wrote:
I would greatly appreciate if you could pass this along. It does a much better job of explaing what the exact problem/DOS is with FW-1. .
. . .
I would greatly appreciate if anyone could prove/disprove this. Also, FW-1's SynDefender did not protect against this attack. Lance http://www.enteract.com/~lspitz
-- "Intrinsically lazy, therefore creative" PGP Fingerprint: 22 68 D5 18 7F 3D D2 28 38 97 90 97 17 55 61 59
Current thread:
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)