RE: Firewall-1 and ISA D.o.S.

["Dom De Vitto" <Dom () DeVitto com>]

Just increase the size of the statetable, which you should
have done when sizing the links going into your firewall.

e.g.:
Checkpoint: Check phoneboy for the table size poke.
Pix: *never* enter nat/static translations without
specifying max embronic/setup connections.

Problem solved ("RTFM" and "THINK")
Dom
 |-----Original Message-----
 |From: overclocking_a_la_abuela () hotmail com 
 |[mailto:overclocking_a_la_abuela () hotmail com] 
 |Sent: Sunday, February 17, 2002 3:18 PM
 |To: vuln-dev () securityfocus com
 |Subject: Firewall-1 and ISA D.o.S.
 |
 |
 |
 |
 |Hi,
 |
 |last year I reported a denial of service to
 |Firewall-1 : flooding on port 264 ( fw1_topo ).
 |Check Point was not able to reproduce this attack
 |so they never recognise it as a real problem. Now,
 |many security concerned sites have this behaviour
 |in their firewalls bug lists.
 |You can stop this attack if you manually create
 |all the rules and limit the acces to this port (
 |264 ) only to clients that need it. But there was
 |a special situation : a firewall that accepts
 |connections to fw1_topo with ANY as source to
 |allow Securemote connections with a dinamic IP
 |address...
 |For this D.o.S. to success you needed a fast link
 |so the  only real scenario was to attack from the
 |internal network.
 |Probably, too many requisites needed,...OK.
 |
 |So, what If I am an external attacker ?
 |I can build a trojan and mail it to some internal
 |user of the target network. The trojan will send
 |packets to some external IP, to force them to pass
 |trough the Firewall-1. This time, we do not need
 |to know the Firewall IP , we only send a lot of
 |packets to port 80 with the SYN flag. Simply, rude
 |but effective. My tests always finish with the
 |firewall completely frozen.
 |The firewall machine is a Professional Win2000,
 |PII 350 with 320 MB. Link is a 10 MB ethernet. 
 |The software used is ippacket. Now the packet we
 |build is :
 |
 |-source : valid internal IP ( does not matter )
 |-dest     : external IP
 |-source port : 10000 ( does not matter ) 
 |-dest port :  80 ( probably the firewall rules
 |accept it )
 |-flags    : SYN
 |-mode   : -1  ( continuous mode )
 |
 |In the case of  Microsoft ISA Server I have been
 |trying some types of packets to flood it, and the
 |one it seems to frooze the firewall is this ( land
 |):
 |
 |-source : internal ISA IP
 |-dest : internal ISA IP
 |-source port : 8080
 |-dest port : 8080
 |-flags : SYN
 |-mode : -1 ( continuous mode )
 |
 |And the ISA stops responding : clients will not be
 |able to surf the web, ISA machine does not 
 |respond ( CRTL + ALT + SUP  does not work ), ...
 |This tests has been done with an ISA configured
 |with http proxy on port 8080 on a Win2000 Server.
 |
 |Generally, I think is not difficult to smash a
 |firewall if you are on the local network. You only
 |have to find  wich packets will force  the
 |forwarding/filtering device to work hard : if the
 |firewall uses proxies, some kind of
 |authentication, some statefull inspection, etc,
 |then it is an easy job. Now, it seems that old
 |packet filters are more efective on defending this
 |attacks, since they do not do a deep inspect...
 |
 |So, is this a general flaw on modern firewalls ?
 |Are they unable to manage large ammount of
 |connections requests ?
 |Bad guys are not only in the wild, they can be in
 |your network, or they can begin an attack from
 |your internal network with a trojan.
 |Please I would agree some feedback.
 |
 |Hugo Vzquez Carams
 |Security Consultant
 |Barcelona
 |SPAIN
 |