Re: Checkpoint SYN DoS Vulnerability

On 5/16/06, sanjay naik <sanjaynaik@xxxxxxxxxxx> wrote:

When a scan is intiated from the Inside interface of Checkpoint firewall,
the firewall responds with bogus information intermittently. I would like to
submit the following bug for Checkpoint:

I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.

# nmap -sT -P0 -v -p 21,80 192.36.x.x
Interesting ports on (192.36.x.x):
21/tcp closed ftp
80/tcp open http

tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0

http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304

What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.

"It's not a bug, it's a feature"

Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden