[11270] in bugtraq
Re: FW-1 DOS attack: PART II
daemon@ATHENA.MIT.EDU (Steve Birnbaum)
Thu Aug 5 13:15:13 1999
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-445439324P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <19990804032202.52729.qmail@cpu2508.adsl.bellglobal.com>
Date: Tue, 3 Aug 1999 23:22:02 -0400
Reply-To: Steve Birnbaum <sbirn@SECURITY.ORG.IL>
From: Steve Birnbaum <sbirn@SECURITY.ORG.IL>
X-To: lance@SPITZNER.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Sun, 01 Aug 1999 11:23:07 CDT."
<Pine.SO4.4.02.9908011109090.9797-100000@spitzner.net>
--==_Exmh_-445439324P
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding:
lance@SPITZNER.NET said:
> I have not tested that yet, so I cannot confirm nor deny its
> validity, however I have heard of this behavior before. Looks like I
> have a new challenge to play with :)
I tested it some time ago under 3.0b (maybe with some patches added). They
might have changed it since then, of course.
As someone else has already stated in this thread, when installing a policy
the state table is reset. So as not to have all existing connections dropped
when this happens, Checkpoint had/have this "feature" that allows ACK packets
in. It is only supposed to allow ACK packets in that correspond to the
reverse of an outgoing rule. Therefore, if there is nothing allowed out,
it's not supposed to allow the ACKs in. If you allow all internal hosts to
access the Internet on all ports, it'll allow in most packets.
The body gets mangled, but I'm not sure about the sequence numbers.
Depending on the response of the internal host the connection will be added
to the state table.
Steve
--
Steve Birnbaum - sbirn@security.org.il (PGP key available)
--==_Exmh_-445439324P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: qvX73MR1DUavAvWDixsPEa1/SLxqQ9IR
iQEVAwUBN6ex1QNowu66bCy5AQEO5wf/ShCcAjX08OS3loI36/37qmB0M4CP5PVJ
Z3b4s+Yke2MvQYgeBp6QBhXeIZp5NIoICXGeqsCtJWo2nrFSURKrNRORXJSaGvD1
wMTo5iF7EY4UOm+hsl98s9aUjetnioI9BLnqr9mamP4fFLsuoSqVaM7aBvzxFwtq
IC/9lPrTCk/DOYLzDH2sjifqcJlfSkhz7yBVfLJ5nc2uYHVrU5b/QtHoM51tuKfI
M7ZM0+jz5xKsiloZgi0nvdGOXMAaH920q8ssJxLCldg5C2dZnFiTAScFydm9vVpA
YdrIpHCQBThvDg+tBEUHru2VJ0545c+3cNa84DmqRv43NFmI8l2XiA==
=n6My
-----END PGP SIGNATURE-----
--==_Exmh_-445439324P--
