Re: Checkpoint SYN DoS Vulnerability

From: "Bojan Zdrnja" <bojan.zdrnja@xxxxxxxxx>
Date: Fri, 19 May 2006 10:08:06 +1200

On 5/17/06, Erick Mechler <emechler@xxxxxxxxxxxxxx> wrote:

:: SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response
:: after seeing the results of the scan has been that SYNdefender is still
:: functional even if we disable it and valid authorized scans won't be
:: allowed from the firewall as that is a product limitation!

The most vocal piece of feedback I gave to CheckPoint back when I used
their FW-1 products was to provide a Big Red Button(tm) to disable all of
the SmartDefense functionality. It was never made very clear to me, as the
admin, when those things kicked-in, and how they would effect my traffic
flow. I haven't used FW-1 in the last 12 months, so this might have been
addressed, but I can't say for sure.

It wasn't - that's the problem. As I said in my first post, I've
experienced numerous problems with the Smart Defense module, which
doesn't care what your rules are setup like.
You just can't allow *ALL* traffic to go to the destination. Smart
Defense seems to be working on a lower level than the rules (or has
higher priority, the end result is the same) so if the SD module finds
your traffic inappropriate, it will drop it no matter what's in the
rules.

That's why I suspected that the SYN Defense module gets activated no
matter what's in the rules.

So, a question for Sanjay: can you setup a tcpdump sniffer in front
and behind, just to log all packets. Then run your scans and see what
happens at the both ends. You can post pcap files somewhere so people
can look at them as well (just sanitize the IP addresses, if you need
to).

Cheers,

Bojan

References:
- Re: Checkpoint SYN DoS Vulnerability
  - From: Pawel Worach
- Re: Checkpoint SYN DoS Vulnerability
  - From: sanjay naik
- Re: Checkpoint SYN DoS Vulnerability
  - From: Erick Mechler

Prev by Date: ZDI-06-016: Novell eDirectory 8.8 NDS Server Buffer Overflow Vulnerability
Next by Date: Chatty improper input sanitizing
Previous by thread: Re: Checkpoint SYN DoS Vulnerability
Next by thread: Re: Checkpoint SYN DoS Vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Exchange 2003 AUTD notifications / sync
... I have all the remote functionality working ... through our ISA server and actually have the AUTD working using device SMS ... trial the blackberry devices at work and i want to prove that we already ... into our Exchange setup. ...
(microsoft.public.exchange.setup)
RE: Dish DVR 522 - TV Signal Setup Question
... By going back through the TV Signal Setup, ... I know that I am missing out on the full functionality of MCE, ... > just go to channel 60 and it should see it. ...
(microsoft.public.windows.mediacenter)
Re: Printing over network...
... I am developing an vb.net app which needs the functionality to print a report to a specific printer on the network. ... Do I need to print to a file first, and then setup a tcp connection with the printer and send it the file? ... In other words, the user selects the Print btn, and based on the report, the app will select the appropriate printer and print to it. ...
(microsoft.public.dotnet.languages.vb)
Re: Suggestions requested - sbs standard
... It does not matter that you are using two NICs or only one, ... have the full functionality of SBS. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Reply-To munging summary (was: Bug in mailing lists; unfriendly to non-subscribers)
... it's a matter of habit, but no functionality ... is lost. ...
(Fedora)