Re: Raptor Firewall

From: H D Moore (hdm@digitaloffense.net)
Date: 12/07/01 

From: H D Moore <hdm@digitaloffense.net>
To: "Stuart" <stuart.hackinfo@btinternet.com>, <pen-test@securityfocus.com>
Date: Fri, 7 Dec 2001 02:17:58 -0600

I have seen this happen in one case where the customer had incorrectly
configured the firewall to have two rules that both matched a packet. When a
syn hit that port, the Raptor box would go into fits and start spewing what
looked to be developer debug statements. I don't remember the version they we
running or how the conflicting rules were created, just that there were two
rules matching the same connection.

Does the firewall spit anything out on the console (popups, error logs, etc)?
Does a TCP connect scan cause the same problem?

-HD

On Thursday 06 December 2001 06:06 pm, Stuart wrote:
> We've run a pentest against a customer recently and found that the very act
> of port scanning their Raptor firewall (running on NT) crippled its ability
> to accept incoming connections for their web site. The firewall is a new
> high spec PIII and the least line is a decent size. The nmap scans were
> standard timing (not T5 or anything daft) - once the scans were stopped,
> things burst back in to life within about 10minutes.
[ snip ]
> Does this ring any bells with anyone? Seems very odd to me... a portscan
> should not cause a DOS by itself...

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: Hacking demo - most spectacular techniques
    ... I setup an IIS 5 box and a firewall. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Firewall ACL determinations
    ... Subject: Firewall ACL determinations ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Cant get a shell
    ... If the firewall is the issue, ... > This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: firewall appliance help
    ... Subject: firewall appliance help ... internet/outside the firewall that arent firewalled (trusted host (If you ... know the ip of a trusted host, then you can portscan internal machines)). ... > This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: DENY x REJECT
    ... >The best way to differ between a port which the firewall is configured ... a Destination Port Unreachable message should be ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)