[11241] in bugtraq
Re: FW-1 DOS attack: PART II
daemon@ATHENA.MIT.EDU (James E McWilliams)
Tue Aug 3 15:46:28 1999
Content-Identifier: 0163237A3C7D1002
Content-Return: Allowed
Message-Id: <"0163237A3C7D1002*/c=us/admd=
/prmd=kp/o=notes/s=Mcwilliams/g=James/i=E/"@MHS>
Date: Sat, 31 Jul 1999 21:06:41 -0700
Reply-To: James E McWilliams <James.E.Mcwilliams@KP.ORG>
From: James E McWilliams <James.E.Mcwilliams@KP.ORG>
X-To: lance <lance@SPITZNER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Lance,
Good write up on the page. I have a wild one for you is in the INSPECT code do you think this problem can be solved? I am going to start looking at it tonight and see what I can get going with it. One more question I had is and I only heard back from one person saying they filled up the connections on a LINUX proxy based FW in the same matter with NMAP. I was wondering if this would work on other FW's?
You might be on to something big...
Eric
sends
lance@SPITZNER.NET on 07/30/99 06:10:00 PM
To: BUGTRAQ@SECURITYFOCUS.COM@Internet
cc: (bcc: James E McWilliams/CA/KAIPERM)
Subject: FW-1 DOS attack: PART II
I would greatly appreciate if you could pass this along.
It does a much better job of explaing what the exact
problem/DOS is with FW-1.
I would like to clarify exactly how the DOS works.
Everything I am about to cover is documented in
detail at
http://www.enteract.com/~lspitz/fwtable.html
When you start a TCP connection, you send a SYN packet.
When FW-1 filters this packet, it checks it against the rule
base, if the session is allowed, it is added to the
connections table with a timeout of 60 seconds. When the
remote host responds, the session is bumped up to a 3600
second timeout.
Now, if you start a connection with an ACK packet, the FW
compares it against the rule base, if allowed it is added
to the connections table. However, the timeout is set to
3600 seconds and does not care if a remote system
responds. You now have a session with a 1 hour timeout,
even though no system responded. Now, do this with alot
of ACK packets, and you have full connections table.
Most companies allow http outbound. Run this command
as root from an internal system, I give your FW about 10
to 15 minutes. If your internal network is a 10.x.x.x,
try 172.16.*.*
nmap -sP 10.*.*.*
nmap is a very powerful port scanner. With this command
it does only a PING and TCP sweep (default port 80), but
uses an ACK instead of a SYN.
To verify that your connections table is quickly growing,
try "fw tab -t connections -s" at 10 second intervals.
Tested on ver 4.0 SP3 on Solaris x86 2.6.
I would greatly appreciate if anyone could prove/disprove
this. Also, FW-1's SynDefender did not protect against this
attack.
Lance
http://www.enteract.com/~lspitz
