Firewall Wizards mailing list archives
Possible DoS in Oracle Proxy on Gauntlet Firewalls
From: "HARDCASTLE, KEVIN G [FND/1000]" <KEVIN.G.HARDCASTLE () stl monsanto com>
Date: Tue, 4 May 1999 14:32:50 -0500
Over the past month we have been chasing a problem with the Oracle SQL*Net Proxy for Gauntlet 4.2. First, a little history on this proxy. Oracle supplies an SDK to Network Associates to allow them to create a proxy for Oracle SQL*Net. Aside from the finger pointing between the two, it has been a fairly stable product. The Oracle proxy works a little bit different from a normal Gauntlet proxy in the fact it does no spawn child processes, but it opens threads within itself called "relays". As we were testing performance of this proxy we started noticing that we would lose a relay and it would never be reused until the daemon was stopped and started. Normal operation is to reuse to lowest open relay. These lost relays started to form a pattern. We lost one relay every 5 minutes or 12 an hour. The Oracle proxy has a internal limit of somewhere between 124 and 256 concurrent relays depending upon which tech support person you get. By the end of the day we were hitting the maximum relays and denying connections. With the frequency and timing of these events we started down the path of identifying which process was causing the failure. Before long we concurred that our service monitoring package "SiteScope" was our culprit. Within this package there are options to check services, basically it performs a port ping on a specified port to check if it was alive. From the statistics the monitor was receiving proper responses from the firewall. It is theory that the proxy tried to handle the request, but without proper database information or SID for Oracle the proxy did not know how to pass it on and held the relay forever. After we stopped that particular check we have not seen relay usage exceed 10 concurrent queries. A lot of tail chasing to find out we shot ourselves in the foot by trying to setup to many monitors. What SiteScope did was simple enough to change to every minute or if multiple copies of an application like this was pointed at a firewall it could potentially shut the Oracle service down in minutes. In our case the monitor was included in the rule set to converse with the firewall, but that is easily spoofed in the wild. self-inflicted Denial of Service, God I love this job. Kevin Hardcastle Monsanto Web Infrastructure Team
Current thread:
- Possible DoS in Oracle Proxy on Gauntlet Firewalls HARDCASTLE, KEVIN G [FND/1000] (May 05)