RE: [Full-disclosure] Checkpoint VPN DoS woes

From: Ray P (sixsigma98_at_hotmail.com)
Date: 09/26/05

  • Next message: c0ntex: "[Full-disclosure] CORE-Impact license bypass" 
    To: sil@infiltrated.net, full-disclosure@lists.grok.org.uk
Date: Sun, 25 Sep 2005 23:45:49 +0000

    Hi J.,

    I guess I'm missing something. If the spoofed source address was 10.10.10.10
    and it originated from the internal network, then it would have had to get
    to the Check Point firewall via some route you have set up or the default
    route. When a packet hits a Check Point interface and it's source IP is not
    from that segment as defined in the anti-spoofing topology, Check Point will
    drop it. In fact I monitor spoofing drops daily just to see what's going on
    in the world.

    "After a reboot of both the router and the Linux server" - What router? The
    one between the Check Point internal interface and your LAN?

    Since this involves a SofaWare box, you probably would do better to post it
    on the Discussion Groups at www.sofaware.com . Those are official support
    forums and they do monitor and reply to postings frequently. You also might
    want to try the 5.0.92 firmware as that's what is current.

    Ray

    >From: "J. Oquendo" <sil@infiltrated.net>
    >To: full-disclosure@lists.grok.org.uk
    >Subject: [Full-disclosure] Checkpoint VPN DoS woes
    >Date: Tue, 20 Sep 2005 14:50:28 -0400 (EDT)
    >
    >
    >While tinkering with my VPN connections, servers, firewalls and routers, I
    >brang down the network to its knees with an attack from one machine to
    >itself using a spoofed private address. The program I was using was
    >something I wrote and it shredded my Checkpoint and its VPN's to oblivion
    >both internally and externally. This is what syslog-ng reported before the
    >connection was toasted...
    >
    >Sep 20 13:06:09 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:13 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:19 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:20 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:26 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:32 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:38 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:08:50 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:10:56 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >Sep 20 13:13:02 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
    >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
    >
    >I had to connect to my firewall from an outside source because my
    >internal connection (10.1.11.0/24 range) was unable to both send or
    >receive any kind of packets. Seems like the program choked the firewall.
    >After a reboot of both the router and the Linux server I set up to do my
    >pentest, the router was still choked until I shut down the Linux machine.
    >All of this with 149 packets...
    >
    >[root@hades log]# uname -a
    >Linux hades 2.6.9-11.ELsmp #1 SMP Wed Jun 8 17:54:20 CDT 2005 i686 i686
    >i386 GNU/Linux
    >
    >Network would not come back up without this machine being offline. Linux
    >machine was choked to shreds as well. Won't post code for now but I would
    >like someone over at Checkpoint to have a browse at it to assess what went
    >on. Addresses and names are obviously removed. Again... Someone at
    >Checkpoint or better. People looking for stupid DoS tools will not receive
    >a response, this message is not meant for you - or j0o however you want to
    >be addressed.
    >
    ># ssh xxxxx@xxx.xxx.xxx.xxx
    >xxxxx@xxx.xxx.xxx.xxx's password:
    >Welcome to Safe@Office 425W, unlimited nodes 5.0.90x 00:08:da:xx:xx:xx
    >
    > >show vpn sites
    > 1:
    > disabled false
    > name NYCFW
    > gateway xxx.xxx.xxx.2
    > gateway2 undefined
    > loginmode automatic
    > configmode automatic
    > authmethod certificate
    > type sitetosite
    > keepalive disabled
    > bypassnat enabled
    > bypassfw enabled
    > user xxxxxxx
    > password ""
    > topopass xxxxxxxxxxx
    > net1 undefined
    > netmask1 undefined
    > net2 undefined
    > netmask2 undefined
    > net3 undefined
    > netmask3 undefined
    > usepfs false
    > phase1ikealgs automatic
    > phase1exptime 0
    > phase2ikealgs automatic
    > phase2exptime 0
    > phase1dhgroup automatic
    > phase2dhgroup automatic
    > dnsname xxx.xxx.xxx.2
    >
    > 2:
    > disabled false
    > name MAFW
    > gateway xxx.xxx.xxx.100
    > gateway2 undefined
    > loginmode automatic
    > configmode automatic
    > authmethod certificate
    > type sitetosite
    > keepalive disabled
    > bypassnat enabled
    > bypassfw enabled
    > user xxxxxxx
    > password ""
    > topopass xxxxxxxxxxx
    > net1 undefined
    > netmask1 undefined
    > net2 undefined
    > netmask2 undefined
    > net3 undefined
    > netmask3 undefined
    > usepfs false
    > phase1ikealgs automatic
    > phase1exptime 0
    > phase2ikealgs automatic
    > phase2exptime 0
    > phase1dhgroup automatic
    > phase2dhgroup automatic
    > dnsname xxx.xxx.xxx.100
    >
    >
    >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >J. Oquendo
    >GPG Key ID 0x97B43D89
    >http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
    >
    >"Just one more time for the sake of sanity tell me why
    > explain the gravity that drove you to this..." Assemblage
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >Hosted and sponsored by Secunia - http://secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: c0ntex: "[Full-disclosure] CORE-Impact license bypass"

    Relevant Pages

    • Re: Home network acting a bit silly
      ... I currently have this problem where I am running a linux server behind ... a router with its ip DMZ'd. ... Users from outside of the network can ...
      (comp.os.linux.networking)
    • Home network acting a bit silly
      ... I currently have this problem where I am running a linux server behind ... a router with its ip DMZ'd. ... Users from outside of the network can ... Is there anyway to fix this? ...
      (comp.os.linux.networking)
    • someone help interpret log messages please
      ... Currently this server is not doing anything and is ... I have our router sending it's logs via ... The linux server is currently the only thing ... network once it goes online, but so far it doesn't look promising. ...
      (RedHat)
    • Re: Using Remote Desktop From an SBS Domain
      ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
      (microsoft.public.windows.server.sbs)
    • Re: Linksys NAS200 Network Storage adapter
      ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
      (microsoft.public.windowsxp.network_web)