[9731] in bugtraq
Re: NT DoS on FW-1
daemon@ATHENA.MIT.EDU (Matt Hargett)
Mon Feb 22 14:09:47 1999
Date: Sun, 21 Feb 1999 17:43:44 -0600
Reply-To: Matt Hargett <hargett@WINTERMUTE.CITYSCAPE.NET>
From: Matt Hargett <hargett@WINTERMUTE.CITYSCAPE.NET>
To: BUGTRAQ@NETSPACE.ORG
>This issue can be fixed by simply implementing a stealthing rule on the
>firewall itself. The problem is in NT's stack, not the FireWalls.
>
> Jamie Thain wrote:
>
> > Timothy,
> >
> > > I was running nmap against a client's Checkpoint FW-1
> > > when they called to inform me that it had crashed. I
> > > was not on site so unfortunately I have little
> > > details.
> >
> > I have seen this befor where a high speed port scanner running against
a
> > FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on
> > Sun. You may want to check and make sure you have the most recent
patch
> > level. That information is on the FW-1 site.
> >
> > > I DO know that they were running it on a NT
> > > box and it was behind a Cisco 3640.
I have done a bit of testing using nmap against NT 4.0 with
SP4. My findings were that plain NT 4.0 SP4 doesn't
crash/behave erratically by itself with the many instances of nmap
options that I tried. Certainly not a simple SYN scan with OS
fingerprinting.
What exactly is the problem in NT's stack and how exactly can you measure
it's adverse reaction? I was looking under task manager at the nonpaged
kernel memory, process, thread, and handle counts.
-----------------------------------------
Matt Hargett
http://www.cityscape.net/~hargett
matt@use.net
sex on the TV, everybody's at it
and the mind gets dirty
as you get closer
to thirty
