Bugtraq mailing list archives

Re: Simple DOS attack on FW-1

From: nobody () NOWHERE TO (Anonymous)
Date: Wed, 4 Aug 1999 19:00:01 -0000


I have another take on this thread that might also be of interest to those
that have been following it since last week.  First, kudos to Lance for
the excellent documentation of the denial of service condition bought
about by the mishandling of ACK packets by FW-1.  But:

1) We also now have proof that FW-1 allows ACK stealth scanning.  I
have successfully replicated the most of the tests and conditions
originally reported by Lance.
2) FW-1 will still allow ACK stealth scanning even though the fixes
suggested by Lance are correctly implemented.
3) Over time, these ACK scans could generate sufficient data to
determine most of the rules in an installed rule set (and any holes
that might exist).

AFAIK, programs like RealSecure aren't smart enough to pick up this
type of scanning strategy, unless it was run rapidly enough (ala strobe)
to be detected.  NFR might be, but I am still looking into that.  What can
we do?  Unfortunately, looks like we wait for a patch from the boyz at
Checkpoint; that might take awhile.  In the meantime, I've always
some more practice hacking INSPECT... ;-)

cheers,
sh3p4rd

Current thread:

Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
  - Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
  - Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
    - Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)