| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Sep 20 19:50:39 2005 From: sil at infiltrated.net (J. Oquendo) Subject: Checkpoint VPN DoS woes While tinkering with my VPN connections, servers, firewalls and routers, I brang down the network to its knees with an attack from one machine to itself using a spoofed private address. The program I was using was something I wrote and it shredded my Checkpoint and its VPN's to oblivion both internally and externally. This is what syslog-ng reported before the connection was toasted... Sep 20 13:06:09 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:13 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:19 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:20 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:26 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:32 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:38 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:08:50 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:10:56 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 Sep 20 13:13:02 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 I had to connect to my firewall from an outside source because my internal connection (10.1.11.0/24 range) was unable to both send or receive any kind of packets. Seems like the program choked the firewall. After a reboot of both the router and the Linux server I set up to do my pentest, the router was still choked until I shut down the Linux machine. All of this with 149 packets... [root@...es log]# uname -a Linux hades 2.6.9-11.ELsmp #1 SMP Wed Jun 8 17:54:20 CDT 2005 i686 i686 i386 GNU/Linux Network would not come back up without this machine being offline. Linux machine was choked to shreds as well. Won't post code for now but I would like someone over at Checkpoint to have a browse at it to assess what went on. Addresses and names are obviously removed. Again... Someone at Checkpoint or better. People looking for stupid DoS tools will not receive a response, this message is not meant for you - or j0o however you want to be addressed. # ssh xxxxx@....xxx.xxx.xxx xxxxx@....xxx.xxx.xxx's password: Welcome to Safe@...ice 425W, unlimited nodes 5.0.90x 00:08:da:xx:xx:xx >show vpn sites 1: disabled false name NYCFW gateway xxx.xxx.xxx.2 gateway2 undefined loginmode automatic configmode automatic authmethod certificate type sitetosite keepalive disabled bypassnat enabled bypassfw enabled user xxxxxxx password "" topopass xxxxxxxxxxx net1 undefined netmask1 undefined net2 undefined netmask2 undefined net3 undefined netmask3 undefined usepfs false phase1ikealgs automatic phase1exptime 0 phase2ikealgs automatic phase2exptime 0 phase1dhgroup automatic phase2dhgroup automatic dnsname xxx.xxx.xxx.2 2: disabled false name MAFW gateway xxx.xxx.xxx.100 gateway2 undefined loginmode automatic configmode automatic authmethod certificate type sitetosite keepalive disabled bypassnat enabled bypassfw enabled user xxxxxxx password "" topopass xxxxxxxxxxx net1 undefined netmask1 undefined net2 undefined netmask2 undefined net3 undefined netmask3 undefined usepfs false phase1ikealgs automatic phase1exptime 0 phase2ikealgs automatic phase2exptime 0 phase1dhgroup automatic phase2dhgroup automatic dnsname xxx.xxx.xxx.100 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 "Just one more time for the sake of sanity tell me why explain the gravity that drove you to this..." Assemblage
Powered by blists - more mailing lists