CERT VU#539363

From: Mike Hoskins (mike@adept.org)
Date: 10/16/02 

Date: Wed, 16 Oct 2002 13:02:53 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: freebsd-security@freebsd.org

I'm sure everyone saw this on Bugtraq, firewalls, firewall-wizards, etc...
But I noticed Apple was quick to resond with a 'we're not vulnerable'
regarding OS X and wondered if we could draw similar conclusions.

From their "Solution" section:

"Use firewall features that detect and block flood traffic"

I assume they mean things like the PIX can do... Monitor for excessive
SYNs from foreign hosts and throttle connections (or deny them entirely
after a threshold). However, if the attacker used randomly forged source
addresses to an open port on the firewall, I don't see how these features
would really help.

"Use dynamically resizeable state tables"

Couldn't this hurt more at some point? Assuming the attacker has time and
is able to forge IPs... A state table has to either become full
(reach net.inet.ip.fw.dyn_max) or use all available resources at some
point, right? Hard to say which is better.

"Use separate timeout values for initial sessions"

net.inet.ip.fw.dyn_syn_lifetime ?

"Use dynamically adjustable session timers (Aggressive Aging)"

Do they mean the net.inet.ip.fw.dyn_* timers? If so, what sort of
algorithm would do this "dynamic" adjustment, and based upon what
criterea?

A couple possible cases...

A large number of rules are created for a given host... So the timeout
values for rules associated with that host are cut short until the total
rules from that host return below some threshold.

Or maybe a lot of rules are created for a set of hosts causing the state
table to grow to within some threshold of net.inet.ip.fw.dyn_max, causing
the lifetime of all rules to be shortened and hopefully create more room
for additional rules.

"Allow connection tracking to be disabled"

I.e. Turn off statefulness? I suppose that could give one time to find a
real solution, but it may require a lot of work. :)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
    (microsoft.public.windowsxp.network_web)
  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
    (microsoft.public.windowsxp.network_web)
  • Re: One computer cant see the other.
    ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
    (microsoft.public.windowsxp.network_web)
  • RE: [fw-wiz] Vulnerability Response
    ... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
    (Firewall-Wizards)
  • RE: Securing a Local Network
    ... attacker that has broken into one host to hop among the other hosts. ... If you have a central firewall acting as a choke point, ... computers to go out over non-essential ports, ... > interaction with one of our expert instructors. ...
    (Security-Basics)