Bugtraq mailing list archives

Re: FW-1 DOS attack: PART II

From: Sean_Boyle () MENTORG COM (Sean Boyle)
Date: Mon, 2 Aug 1999 09:21:47 -0700


I ran into a similar problem.  The connections table has a configurable
limit, but the xlation table doesn't (FW-1 3.x).  Someone in Rumania (I
*think* it was) evidently was unhappy with his ISP, so he sent out a
virus which would cause the infected machine to spawn a zillion
half-open connections to the ISP.  For a FW-1 system running NAT, it
would cause a DOS when the xlate table filled.  It has a hard limit of
25000.

Like many others here, I wrote a perl script to dump the xlation table,
count the slots for a given machine and sorted it, allowing me to find
the culprit.  According to Symantec, it is a relatively uncommon virus.

"Spitzner, Lance" wrote:

I would greatly appreciate if you could pass this along.
It does a much better job of explaing what the exact
problem/DOS is with FW-1.
.


.
.
.

I would greatly appreciate if anyone could prove/disprove
this. Also, FW-1's SynDefender did not protect against this
attack.

Lance
http://www.enteract.com/~lspitz


--
"Intrinsically lazy, therefore creative"
PGP Fingerprint: 22 68 D5 18 7F 3D D2 28  38 97 90 97 17 55 61 59

Current thread:

Re: FW-1 DOS attack: PART II Spitzner, Lance (Jul 31)
- <Possible follow-ups>
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
  - Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
    - Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
  - IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
    - Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
    - Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
  - Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
  - midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
  - Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)