RE: Firewall-1 and ISA D.o.S.

From: Dom De Vitto (Dom@DeVitto.com)
Date: 02/17/02 

From: "Dom De Vitto" <Dom@DeVitto.com>
To: <vuln-dev@securityfocus.com>
Date: Sun, 17 Feb 2002 22:50:27 -0000

Just increase the size of the statetable, which you should
have done when sizing the links going into your firewall.

e.g.:
Checkpoint: Check phoneboy for the table size poke.
Pix: *never* enter nat/static translations without
specifying max embronic/setup connections.

Problem solved ("RTFM" and "THINK")
Dom
 |-----Original Message-----
 |From: overclocking_a_la_abuela@hotmail.com
 |[mailto:overclocking_a_la_abuela@hotmail.com]
 |Sent: Sunday, February 17, 2002 3:18 PM
 |To: vuln-dev@securityfocus.com
 |Subject: Firewall-1 and ISA D.o.S.
 |
 |
 |
 |
 |Hi,
 |
 |last year I reported a denial of service to
 |Firewall-1 : flooding on port 264 ( fw1_topo ).
 |Check Point was not able to reproduce this attack
 |so they never recognise it as a real problem. Now,
 |many security concerned sites have this behaviour
 |in their firewalls bug lists.
 |You can stop this attack if you manually create
 |all the rules and limit the acces to this port (
 |264 ) only to clients that need it. But there was
 |a special situation : a firewall that accepts
 |connections to fw1_topo with ANY as source to
 |allow Securemote connections with a dinamic IP
 |address...
 |For this D.o.S. to success you needed a fast link
 |so the only real scenario was to attack from the
 |internal network.
 |Probably, too many requisites needed,...OK.
 |
 |So, what If I am an external attacker ?
 |I can build a trojan and mail it to some internal
 |user of the target network. The trojan will send
 |packets to some external IP, to force them to pass
 |trough the Firewall-1. This time, we do not need
 |to know the Firewall IP , we only send a lot of
 |packets to port 80 with the SYN flag. Simply, rude
 |but effective. My tests always finish with the
 |firewall completely frozen.
 |The firewall machine is a Professional Win2000,
 |PII 350 with 320 MB. Link is a 10 MB ethernet.
 |The software used is ippacket. Now the packet we
 |build is :
 |
 |-source : valid internal IP ( does not matter )
 |-dest : external IP
 |-source port : 10000 ( does not matter )
 |-dest port : 80 ( probably the firewall rules
 |accept it )
 |-flags : SYN
 |-mode : -1 ( continuous mode )
 |
 |In the case of Microsoft ISA Server I have been
 |trying some types of packets to flood it, and the
 |one it seems to frooze the firewall is this ( land
 |):
 |
 |-source : internal ISA IP
 |-dest : internal ISA IP
 |-source port : 8080
 |-dest port : 8080
 |-flags : SYN
 |-mode : -1 ( continuous mode )
 |
 |And the ISA stops responding : clients will not be
 |able to surf the web, ISA machine does not
 |respond ( CRTL + ALT + SUP does not work ), ...
 |This tests has been done with an ISA configured
 |with http proxy on port 8080 on a Win2000 Server.
 |
 |Generally, I think is not difficult to smash a
 |firewall if you are on the local network. You only
 |have to find wich packets will force the
 |forwarding/filtering device to work hard : if the
 |firewall uses proxies, some kind of
 |authentication, some statefull inspection, etc,
 |then it is an easy job. Now, it seems that old
 |packet filters are more efective on defending this
 |attacks, since they do not do a deep inspect...
 |
 |So, is this a general flaw on modern firewalls ?
 |Are they unable to manage large ammount of
 |connections requests ?
 |Bad guys are not only in the wild, they can be in
 |your network, or they can begin an attack from
 |your internal network with a trojan.
 |Please I would agree some feedback.
 |
 |Hugo Vzquez Carams
 |Security Consultant
 |Barcelona
 |SPAIN
 |

Relevant Pages

  • Re: 2 nics, isa, hw fwall
    ... you have NAT enabled in ISA, that means that ISA is wrapping the data ... Posting your HW and ISA firewall configurations would ... Components, Mgmt and Mon., Network Monitor Tools). ... analyzing what the TCP/IP packets are doing can be invaluable. ...
    (microsoft.public.windows.server.sbs)
  • Re: CEICW fails - several errors
    ... The firewall isn't used when ISA is installed. ... On the WAN NIC of your server the DNS has to point to the LAN IP. ... I immediately checked and ISA Server ...
    (microsoft.public.windows.server.sbs)
  • RE: OWA page not displayed Outside
    ... Open ISA 2006 management console. ... Expand the server node and highlight 'Monitoring'. ... Click 'Configure Firewall Logging'. ... |> internal client as both the web proxy client and firewall client? ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA Proxy Failure
    ... Objects (You can click Firewall Policy and then click Toolbox on the right ... If we could start the ISA service, let's recreate new certificate in the ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: OWA page not displayed Outside
    ... Open the ISA Server management console, ... On the ISA Server computer, stop the Microsoft Firewall service. ...
    (microsoft.public.windows.server.sbs)