Re: NT DoS on FW-1

[malikai () INTERACTIVEALIEN COM (Malikai)]

This issue can be fixed by simply implementing a stealthing rule on the
firewall itself. The problem is in NT's stack, not the FireWalls.

> Jamie Thain wrote:
>
> > Timothy,
> >
> > > I was running nmap against a client's Checkpoint FW-1
> > > when they called to inform me that it had crashed.  I
> > > was not on site so unfortunately I have little
> > > details.
> >
> > I have seen this befor where a high speed port scanner running against
a
> > FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on
> > Sun. You may want to check and make sure you have the most recent
patch
> > level. That information is on the FW-1 site.
> >
> > > I DO know that they were running it on a NT
> > > box and it was behind a Cisco 3640.
> >
> > Since they are running this behind a Cisco, why not do something
> > creative like install and access list on the external interface to
help
> > protect the FW-1. Suppose for example, you have the following
situation.
> > fw-1 external interface         209.111.222.10
> > work stations hide behind               .12.
> > the SMTP server is on                   .50
> > and the WEB server is on                .50
> >
> > ( port translated to diff machines )
> > You use an external mail relay at the ISP at 192.167.10.1 and You use
> > for DNS servers on the same network as the SMTP as forwarders in a
split
> > horizion.
> >
> > On the inbound interface of your cisco you could add the following.
> > Cisco does not allow for these comments, they are just there to help.
> >
> > # short cut established packetes
> > access-list 101 permit ip any 209.111.222.0 0.0.0.255 established
> >
> > # prevent non-routed address, anti-spoofing
> > access-list 101 deny ip any 10.0.0.0     0.255.255.255
> > access-list 101 deny ip any 172.16.0.0   0.15.255.255
> > access-list 101 deny ip any 192.168.0.0  0.0.255.255
> >
> > # allow high ports
> > access-list 101 permit tcp any 209.111.222.0 0.0.0.255 gt 1023
> >
> > # allow web service and email. Note the email is to the relay.
> > access-list 101 permit tcp any host 209.111.222.50 eq http
> > access-list 101 permit tcp host 192.167.10.1 host 209.111.222.50 eq
smtp
> > # only allow udp to the network with the DNS on it
> > access-list 101 permit udp 209.111.222.0 0.0.0.255 192.167.10.1
> > 0.0.0.255
> >
> > # don't allow ping (echo) to any port but the smtp/http server
> > # people are funny if they can't ping the hosts...
> >
> > access-list 101 permit icmp any host 209.111.222.50 eq echo
> > access-list 101 deny icmp any any eq echo
> > access-list 101 permit icmp any any
> >
> > # only allow access to 12 and 50 in any case.
> >
> > access-list 101 permit ip any host 209.111.222.12
> > access-list 101 permit ip any host 209.111.222.50
> >
> > interface serial0.1 point-to-point
> >         ip address 209.111.221.252
> >         no ip directed-broadcast
> >         ip access-group 101 in
> >
> > # And on the inbound access list, I normally put a set that only
allows
> > # the two interesting interfaces out...
> >
> > access-list 103 permit ip host 209.111.222.12 any
> > access-list 103 permit ip host 209.111.222.50 any
> >
> > interface ethernet0
> >         ip address 209.111.222.254
> >         no ip directed-broadcast
> >         ip access-group 103 in
> >
> > This of course does not prevent a DOS attack against your FW-1, but it
> > does make attacking it much more difficult. It also has some good
> > things, because the only interfaces that can be accessed are virtual
> > numbers and not the real interface of cards. Also by overloading a
> > single address and doing port translation, for all of your inbound
> > services lets your write far simpler rules in the router.
> >
> > There is no ping requests to any address on any address including the
> > router and FW-1. Of course the only down-side is nmap recognizes that
> > this is Firewalled because of all of the rejects going out. So you
might
> > want to suppress all outbound unreachables on the serial interface. I
> > think that would fix it.
> >
> > Even if you are not this agressive, your router can add a good layer
of
> > security by just chucking stupid scanner requests. I hope CISCO comes
up
> > with a DROP for there access list.
> >
> > The flags that go red in your FW-1 have additional meaning as most of
> > the crap is gone now...
> >
> > regards:jamie
> >
> > PLEASE NOTE::: This access list was typed directly from my head, and
you
> > would need to
> > test it before using it...




 Jason Ihde                                     malikai () interactivealien com
 Networked Systems Consultant     &             Internet Systems Security
 PGP Key available via finger or http://interactivealien.com/~malikai/pgp
        Experience is what you get when you don't get what you want.