Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: taylord () INFOSECURE COM AU (David Taylor)
Date: Fri, 30 Jul 1999 09:09:26 +0800
On Thu, 29 Jul 1999, Lance Spitzner wrote:
[snip] I've stumbled across a simple Denial of Service attack for FW-1, many of you may already be aware of this. You can effectively shutdown FW-1 by filling its connections table. This is easily done in about 15 minutes with most port scanners. When FW-1's state connections table is full, it can no longer accept any more connections (usually between 25,000-35,000 connections, depending on your system). You can increase this number by increasing kernel memory for the FW-1 module and hacking ../lib/table.def) However, a port scanner can build that many connections in a manner of minutes.
Lance, I have seen this also in a Floodgate-1 machine that was positioned outside the firewall. Flodgate-1 is Checkpoint's bandwidth management solution which presumably uses the same state engine. In this particular instance the firewall that had been deployed was not capabale of running Floodgate on the same machine so Floodgate had been deployed on a relatively sacrificial host that was positioned between the firewall and the Internet router. As floodgate doesn't do any traffic filtering, when I portscanned it from an external point the connections were allowed through to the firewall, where they were dropped without a NACK/RST/FIN coming back the other way. The machine consistently died after a matter of minutes. Some more graceful error handling on Checkpoint's behalf would probably be nice. Regards, Dave Taylor
Current thread:
- Re: Simple DOS attack on FW-1 David Taylor (Jul 29)
- Internet Explorer 5.0 HTML Applications Bryan Batchelder (Jul 30)
- World writable root owned script in SalesBuilder (RedHat 6.0) smaster () SAIL IT (Jul 30)
- Possible Denial Of Service using DNS smaster () SAIL IT (Jul 30)
- Re: Simple DOS attack on FW-1 Jeff Roberson (Jul 30)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Scott, Richard (Jul 30)
- Re: Simple DOS attack on FW-1 Jason R. Rhoads (Jul 30)