Re: Checkpoint SYN DoS Vulnerability

On 5/16/06, sanjay naik <sanjaynaik@xxxxxxxxxxx> wrote:

When a scan is intiated from the Inside interface of Checkpoint firewall,
the firewall responds with bogus information intermittently. I would like to
submit the following bug for Checkpoint:

I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.

# nmap -sT -P0 -v -p 21,80 192.36.x.x
Interesting ports on (192.36.x.x):
21/tcp closed ftp
80/tcp open http

tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0

http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304

What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.

"It's not a bug, it's a feature"

Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden

Relevant Pages

  • RE: CheckPoint remote access
    ... Connect notebook directly to ethernet port with IP ... the IP address on firewall ethernet ... The Ethernet port on the Checkpoint box may have failed. ...
  • UPDATE: [ SMTP relay through checkpoint firewall]
    ... Checkpoint bounced my mail because I'm not a checkpoint customer, ... contacted customer advocacy and resent it to a different address (this ... to be able to open any port on any machine I want *except* port 80. ... The initial machine I use (inside the firewall) does not ...
  • AW: CheckPoint remote access
    ... it sounds like maybe the network card is broke. ... can some CheckPoint guru provide some advise on ... Checkpoint firewall running version 4.1 is facing ... Connect notebook directly to ethernet port with IP ...
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...