Re: Raptor Firewall

[H D Moore <hdm () digitaloffense net>]

I have seen this happen in one case where the customer had incorrectly 
configured the firewall to have two rules that both matched a packet. When a 
syn hit that port, the Raptor box would go into fits and start spewing what 
looked to be developer debug statements. I don't remember the version they we 
running or how the conflicting rules were created, just that there were two 
rules matching the same connection.

Does the firewall spit anything out on the console (popups, error logs, etc)? 
Does a TCP connect scan cause the same problem?

-HD



On Thursday 06 December 2001 06:06 pm, Stuart wrote:
> We've run a pentest against a customer recently and found that the very act
> of port scanning their Raptor firewall (running on NT) crippled its ability
> to accept incoming connections for their web site. The firewall is a new
> high spec PIII and the least line is a decent size. The nmap scans were
> standard timing (not T5 or anything daft) - once the scans were stopped,
> things burst back in to life within about 10minutes.
[ snip ]
> Does this ring any bells with anyone? Seems very odd to me... a portscan
> should not cause a DOS by itself...



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/