Bugtraq mailing list archives
Re: Checkpoint SYN DoS Vulnerability
From: "sanjay naik" <sanjaynaik () hotmail com>
Date: Tue, 16 May 2006 15:57:03 -0400
Pawel,We have done a complete test using TCPdump on the checkpoint side and Tethereal on the scanner side. We have tested this on atleast 3 dfferent firewalls and found the same issue with our scans.
SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response after seeing the results of the scan has been that SYNdefender is still functional even if we disable it and valid authorized scans won't be allowed from the firewall as that is a product limitation!
I don't agree this is a feature as that would be absurd. SYN Attack Protection is not enabled on the firewalls. The scans are being done from the Internal interface of the firewall and not the external interface. The firewall has a rule to accept ANY services for the scanner. The scans are sometimes successful and sometimes they get garbaged and how does that make it a feature?
Look closely at the NMAP results I had sent. Those are the scans to the same host using the same NMAP options at 2 different times. I hope you see it now.
There is no doubt on the fact that this is a bug and not a feature. Regards, Sanjay Naik, CISSP Sr. Security Consultant ----Original Message Follows---- From: "Pawel Worach" <pawel.worach () gmail com> To: sanjaynaik () ieee org CC: bugtraq () securityfocus com Subject: Re: Checkpoint SYN DoS Vulnerability Date: Tue, 16 May 2006 21:23:46 +0200 On 5/16/06, sanjay naik <sanjaynaik () hotmail com> wrote:
When a scan is intiated from the Inside interface of Checkpoint firewall,the firewall responds with bogus information intermittently. I would like tosubmit the following bug for Checkpoint:
I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a default configuration of VPN-1. Here is how a scan of a Internet host looks from a box behind the firewall. Port 21 is closed and port 80 is open on the Internet host. # nmap -sT -P0 -v -p 21,80 192.36.x.x ... Interesting ports on public.host.net (192.36.x.x): PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http tcpdump says everything is sane, ftp attempt: 21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0 http attempt: 21:04:08.390810 IP proxy1.58059 > public.http: S 2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394968 IP public.http > proxy1.58059: S 1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 885493884 761562441> 21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304 <nop,nop,timestamp 761562445 885493884> 21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304 What CheckPoint products are enabled on the firewall ? What are the SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN Attack protection" is enabled the firewall does what it's told to do. After x packets/timeout it will switch to SYN relay mode and will do the three-way handshake on behalf of the destination host. This feature is normally only enabled on the external interface. "It's not a bug, it's a feature" -- Pawel Worach Security Specialist, SDO Networks NP/IBM Sweden _________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Current thread:
- Checkpoint SYN DoS Vulnerability sanjay naik (May 16)
- Re: Checkpoint SYN DoS Vulnerability Pawel Worach (May 16)
- Re: Checkpoint SYN DoS Vulnerability sanjay naik (May 16)
- Re: Checkpoint SYN DoS Vulnerability Bojan Zdrnja (May 17)
- Re: Checkpoint SYN DoS Vulnerability Jim Clausing (May 22)
- Re: Checkpoint SYN DoS Vulnerability Erick Mechler (May 18)
- Re: Checkpoint SYN DoS Vulnerability Bojan Zdrnja (May 22)
- Re: Checkpoint SYN DoS Vulnerability sanjay naik (May 16)
- Re: Checkpoint SYN DoS Vulnerability Pawel Worach (May 16)
- Re: Checkpoint SYN DoS Vulnerability sanjay naik (May 18)
- Re: Checkpoint SYN DoS Vulnerability Niranjan S Patil (May 24)
- <Possible follow-ups>
- Re: Checkpoint SYN DoS Vulnerability sanjay naik (May 17)
- Re: Re: Checkpoint SYN DoS Vulnerability jrh57 (May 18)
- RE: Checkpoint SYN DoS Vulnerability Sterling, Chuck (May 18)