RE: Firewall-1 and ISA D.o.S.

From: Dom De Vitto (Dom@DeVitto.com)
Date: 02/19/02 

From: "Dom De Vitto" <Dom@DeVitto.com>
To: <overclocking_a_la_abuela@hotmail.com>, <vuln-dev@securityfocus.com>
Date: Mon, 18 Feb 2002 23:27:17 -0000

 |Hi Dom,
 |
 |I know that you can increase the connections
 |managed by the kernel of FW-1, I will increase it to
 |50.000 ( some time ago CheckPoint said to me that it
 |was the limit... ), but I think the problem is not on that
 |feature. When I send packets , I send always the
 |same packet ( same source port, same dest port,
 |same source address, same dest address , same
 |sequence number, ... ) so , do you think FW-1 tracks
 |every packet received as a new connection, or it only
 |refresh it state table as there was only one
 |connection ?
Wow, then that's a bug, as "duplicates" should be dropped.

 |Moreover, ippacket generates packets at a very high
 |rate, and I do not believe FW-1 ( and many other
 |firewalls ) is able to manage this flood of SYN
 |requests.
Yep, some firewalls don't even do wire speed, and many can't
cope when it's all small packets.

 |"RTFM" ---> Yes, I read it loooong time ago, ... have
 |you at least tried to apply the D.o.S. that I describe ?

No need, on a Pix I've seen it hang because of a single Nimda'd
box! When you limit the connection table size, down to a single
host, then resource exhaustion just freezes comms for that host
for a little while. I don't think you can do it for a CPK box,
which is a design feature (fully-shared vs. allocated table space)
- somewhere in between would be nice.

Sorry for the comment, it's was a long day, and your points
seemed (fairly) obvious. Of course, if duplicate packets are
causing a problem, then that's a big bug.

Dom

Relevant Pages

  • Re: Firewall-1 and ISA D.o.S.
    ... managed by the kernel of FW-1, ... same packet (same source port, same dest port, ... every packet received as a new connection, ... ippacket generates packets at a very high ...
    (Vuln-Dev)
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)
  • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
    (comp.os.qnx)
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
    (RedHat)
  • Re: [RFC v1] virtio: add virtio-over-PCI driver
    ... symmetry, but it didn't seem to offer any concrete advantages, so we didn't ... single x86 computer (the host) and many guest systems. ... This way you just recv packets in the ...
    (Linux-Kernel)