lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 May 2006 15:57:03 -0400 From: "sanjay naik" <sanjaynaik@...mail.com> To: pawel.worach@...il.com Cc: bugtraq@...urityfocus.com Subject: Re: Checkpoint SYN DoS Vulnerability Pawel, We have done a complete test using TCPdump on the checkpoint side and Tethereal on the scanner side. We have tested this on atleast 3 dfferent firewalls and found the same issue with our scans. SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response after seeing the results of the scan has been that SYNdefender is still functional even if we disable it and valid authorized scans won't be allowed from the firewall as that is a product limitation! I don't agree this is a feature as that would be absurd. SYN Attack Protection is not enabled on the firewalls. The scans are being done from the Internal interface of the firewall and not the external interface. The firewall has a rule to accept ANY services for the scanner. The scans are sometimes successful and sometimes they get garbaged and how does that make it a feature? Look closely at the NMAP results I had sent. Those are the scans to the same host using the same NMAP options at 2 different times. I hope you see it now. There is no doubt on the fact that this is a bug and not a feature. Regards, Sanjay Naik, CISSP Sr. Security Consultant ----Original Message Follows---- From: "Pawel Worach" <pawel.worach@...il.com> To: sanjaynaik@...e.org CC: bugtraq@...urityfocus.com Subject: Re: Checkpoint SYN DoS Vulnerability Date: Tue, 16 May 2006 21:23:46 +0200 On 5/16/06, sanjay naik <sanjaynaik@...mail.com> wrote: >When a scan is intiated from the Inside interface of Checkpoint firewall, >the firewall responds with bogus information intermittently. I would like >to >submit the following bug for Checkpoint: I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a default configuration of VPN-1. Here is how a scan of a Internet host looks from a box behind the firewall. Port 21 is closed and port 80 is open on the Internet host. # nmap -sT -P0 -v -p 21,80 192.36.x.x ... Interesting ports on public.host.net (192.36.x.x): PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http tcpdump says everything is sane, ftp attempt: 21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0 http attempt: 21:04:08.390810 IP proxy1.58059 > public.http: S 2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441 0,sackOK,eol> 21:04:08.394968 IP public.http > proxy1.58059: S 1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 885493884 761562441> 21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304 <nop,nop,timestamp 761562445 885493884> 21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304 What CheckPoint products are enabled on the firewall ? What are the SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN Attack protection" is enabled the firewall does what it's told to do. After x packets/timeout it will switch to SYN relay mode and will do the three-way handshake on behalf of the destination host. This feature is normally only enabled on the external interface. "It's not a bug, it's a feature" -- Pawel Worach Security Specialist, SDO Networks NP/IBM Sweden _________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Powered by blists - more mailing lists