Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Possible DoS in Oracle Proxy on Gauntlet Firewalls

From: "HARDCASTLE, KEVIN G [FND/1000]" <KEVIN.G.HARDCASTLE () stl monsanto com>
Date: Tue, 4 May 1999 14:32:50 -0500 
Over the past month we have been chasing a problem with the Oracle SQL*Net
Proxy for Gauntlet 4.2. 

First, a little history on this proxy.  Oracle supplies an SDK to Network
Associates to allow them to create a proxy for Oracle SQL*Net.  Aside from
the finger pointing between the two, it has been a fairly stable product.
The Oracle proxy works a little bit different from a normal Gauntlet proxy
in the fact it does no spawn child processes, but it opens threads within
itself called "relays".  

As we were testing performance of this proxy we started noticing that we
would lose a relay and it would never be reused until the daemon was stopped
and started.  Normal operation is  to reuse to lowest open relay.  These
lost relays started to form a pattern.  We lost one relay every 5 minutes or
12 an hour.  The Oracle proxy has a internal limit of somewhere between 124
and 256 concurrent relays depending upon which tech support person you get.
By the end of the day we were hitting the maximum relays and denying
connections.

With the frequency and timing of these events we started down the path of
identifying which process was causing the failure.  Before long we concurred
that our service monitoring package "SiteScope" was our culprit.  Within
this package there are options to check services, basically it performs a
port ping on a specified port to check if it was alive.  From the statistics
the monitor was receiving proper responses from the firewall.  It is theory
that the proxy tried to handle the request, but without proper database
information or SID for Oracle the proxy did not know how to pass it on and
held the relay forever.  After we stopped that particular check we have not
seen relay usage exceed 10 concurrent queries.  A lot of tail chasing to
find out we shot ourselves in the foot by trying to setup to many monitors.

What SiteScope did was simple enough to change to every minute or if
multiple copies of an application like this was pointed at a firewall it
could potentially shut the Oracle service down in minutes.  In our case the
monitor was included in the rule set to converse with the firewall, but that
is easily spoofed in the wild.  self-inflicted Denial of Service, God I love
this job.


Kevin Hardcastle
Monsanto Web Infrastructure Team
Previous By Date Next
Previous By Thread Next

Current thread: