RE: Firewall-1 and ISA D.o.S.

From: Dom De Vitto (Dom@DeVitto.com)
Date: 02/19/02


From: "Dom De Vitto" <Dom@DeVitto.com>
To: <overclocking_a_la_abuela@hotmail.com>, <vuln-dev@securityfocus.com>
Date: Mon, 18 Feb 2002 23:27:17 -0000


 |Hi Dom,
 |
 |I know that you can increase the connections
 |managed by the kernel of FW-1, I will increase it to
 |50.000 ( some time ago CheckPoint said to me that it
 |was the limit... ), but I think the problem is not on that
 |feature. When I send packets , I send always the
 |same packet ( same source port, same dest port,
 |same source address, same dest address , same
 |sequence number, ... ) so , do you think FW-1 tracks
 |every packet received as a new connection, or it only
 |refresh it state table as there was only one
 |connection ?
Wow, then that's a bug, as "duplicates" should be dropped.

 |Moreover, ippacket generates packets at a very high
 |rate, and I do not believe FW-1 ( and many other
 |firewalls ) is able to manage this flood of SYN
 |requests.
Yep, some firewalls don't even do wire speed, and many can't
cope when it's all small packets.

 |"RTFM" ---> Yes, I read it loooong time ago, ... have
 |you at least tried to apply the D.o.S. that I describe ?

No need, on a Pix I've seen it hang because of a single Nimda'd
box! When you limit the connection table size, down to a single
host, then resource exhaustion just freezes comms for that host
for a little while. I don't think you can do it for a CPK box,
which is a design feature (fully-shared vs. allocated table space)
- somewhere in between would be nice.

Sorry for the comment, it's was a long day, and your points
seemed (fairly) obvious. Of course, if duplicate packets are
causing a problem, then that's a big bug.

Dom



Relevant Pages

  • Re: Firewall-1 and ISA D.o.S.
    ... managed by the kernel of FW-1, ... same packet (same source port, same dest port, ... every packet received as a new connection, ... ippacket generates packets at a very high ...
    (Vuln-Dev)
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
    (comp.security.firewalls)
  • Re: IP over RS232 serial port under QNX6 (devn-fd.so)
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint 10.0.0.185 from the source ... These packets were correct ARP-Broadcasts ...
    (comp.os.qnx)
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
    (RedHat)
  • Re: Yet another thread on the legality of port scanning
    ... Which portthe packets are sent to is ... If I do a "nice", normal portscan on a host - via TCP, UDP or ICMP I am ... This sort of behavior is ... If I try to flood your host with abnormally LARGE ICMP packets endlessly ...
    (Security-Basics)