FW-1 DOS attack: PART II

[lance () SPITZNER NET (Spitzner, Lance)]

I would greatly appreciate if you could pass this along.
It does a much better job of explaing what the exact
problem/DOS is with FW-1.

I would like to clarify exactly how the DOS works.
Everything I am about to cover is documented in
detail at
http://www.enteract.com/~lspitz/fwtable.html

When you start a TCP connection, you send a SYN packet.
When FW-1 filters this packet, it checks it against the rule
base, if the session is allowed, it is added to the
connections table with a timeout of 60 seconds.  When the
remote host responds, the session is bumped up to a 3600
second timeout.

Now, if you start a connection with an ACK packet, the FW
compares it against the rule base, if allowed it is added
to the connections table.  However, the timeout is set to
3600 seconds and does not care if a remote system
responds.  You now have a session with a 1 hour timeout,
even though no system responded.  Now, do this with alot
of ACK packets, and you have full connections table.

Most companies allow http outbound.  Run this command
as root from an internal system, I give your FW about 10
to 15 minutes. If your internal network is a 10.x.x.x,
try 172.16.*.*

nmap -sP 10.*.*.*

nmap is a very powerful port scanner.  With this command
it does only a PING and TCP sweep (default port 80), but
uses an ACK instead of a SYN.

To verify that your connections table is quickly growing,
try "fw tab -t connections -s" at 10 second intervals.

Tested on ver 4.0 SP3 on Solaris x86 2.6.

I would greatly appreciate if anyone could prove/disprove
this. Also, FW-1's SynDefender did not protect against this
attack.

Lance
http://www.enteract.com/~lspitz