Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: David Lang <dlang () diginsite com>
Date: Wed, 6 Feb 2002 15:15:37 -0800 (PST)
I missed the inital post, but the F5 could be contacting them to try and figure out the best way to route their traffic. David Lang On Wed, 6 Feb 2002 damiank () anobi-asp com wrote:
Date: Wed, 6 Feb 2002 14:31:22 -0600 From: damiank () anobi-asp com To: Tracy R Reed <treed () ultraviolet org>, firewall-wizards () nfr com Subject: Re: [fw-wiz] Netscreen firewall and portscans? This may be related. One question, why would your F5 be contacting their sight anyway? Also, as this issue points out, the DOS could have resulted from their internal network... February 5, 2002 NetScreen Response to: "NetScreen ScreenOS Port Scan DoS Vulnerability" This issue was reported to NetScreen on February 1, 2002 and simultaneously reported to BugTraq () SecurityFocus com (visible as http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=4015), and SecurityTracker.com (http://securitytracker.com/alerts/2002/Feb/1003421.html), among others. The reported issue involves the initiation of a Port Scan against a host reachable via the "Untrust" interface from or by a user attached to the "Trust" interface of a NetScreen device, and potentially consuming all available sessions resulting in a denial of service attack against the "Trusted" network. If a port scan were initiated against a host that responded to the scans (with either ICMP unreachable or RST), the NetScreen device would immediately close each of the sessions established during the port scan, making them available for reuse. ScreenOS has a default session inactivity timeout of 30 minutes. Both pre-defined and custom services can be adjusted in timeout value from 1 minute to 2 days. After waiting the default 30 minutes (or the length of time the administrator adjusted the time interval to), port scans to the unresponsive host will time out and the session entries in the NetScreen device will be cleared for reuse. This problem can occur more quickly on NetScreen devices that have smaller session tables. For example, the NetScreen-5XP has a maximum of 2,048 sessions, and the NetScreen-1000 has a maximum of 500,000 sessions. Obviously, the session table on a NetScreen-5XP will be consumed faster than on a NetScreen-1000. NetScreen released new features that addressed this issue in several manners beginning in September 2001. One feature called Source IP Session Thresholding can be used to mitigate the likelihood of this issue arising in the first place. This feature was introduced as a CLI command in ScreenOS version 2.6.1r2, and has been incorporated into the WebUI starting with ScreenOS version 3.0. The command set firewall session-threshold source-ip-based [num] limits any one source IP from the trusted side to [num] number of concurrent sessions. Since the NetScreen-5XP can support 2,048 concurrent sessions, NetScreen recommends the higher of the following two numbers as a starting point: 100, or 2048/n where "n" is the number of systems on the "Trust" side network. Administrators are advised to check their flow counters to see if that's an acceptable number, and modify accordingly. Next, releases of ScreenOS 3.0.0 and later allow the administrator to forcibly clear sessions based on characteristics of those sessions such as source IP address, destination IP address, source port, destination port, source MAC address, and/or destination MAC address. For example, the command clear session dst-ip <a.b.c.d> will clear all active sessions to destination IP address a.b.c.d from the NetScreen active session table. This command can be used to recover from a wild port scan without waiting for all sessions to age out or without resetting the NetScreen device. Lastly, ScreenOS 3.1.0 and later allow the administrator to enable firewall protections, including port scan protections, on any interface. NetScreen recommends all customers to upgrade to the latest version of ScreenOS supported by their hardware and then to enable one or all of the above features to minimize the likelihood of being affected by this issue. The latest currently available versions of ScreenOS at the time of this writing for each NetScreen device are: Hardware ScreenOS release NetScreen-5 NetScreen-5XP NetScreen-10 NetScreen-25 NetScreen-50 NetScreen-100 NetScreen-204 NetScreen-208 NetScreen-500 NetScreen-1000 2.6.1r6 3.0.1r1 3.0.1r1 3.0.0r1 3.0.0r1 3.0.1r1 3.1.0r1 3.1.0r1 3.1.0r1 2.8.0r1 For more information, click on the following NetScreen White Papers and you will be directed to our Solutions section: Principles of Secure Network Design Internet Worms and the Malicious URL feature ----- Original Message ----- From: "Tracy R Reed" <treed () ultraviolet org> To: <firewall-wizards () nfr com> Sent: Tuesday, February 05, 2002 4:51 PM Subject: [fw-wiz] Netscreen firewall and portscans? _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)