lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 May 2006 21:23:46 +0200
From: "Pawel Worach" <pawel.worach@...il.com>
To: sanjaynaik@...e.org
Cc: bugtraq@...urityfocus.com
Subject: Re: Checkpoint SYN DoS Vulnerability


On 5/16/06, sanjay naik <sanjaynaik@...mail.com> wrote:

> When a scan is intiated from the Inside interface of Checkpoint firewall,
> the firewall responds with bogus information intermittently. I would like to
> submit the following bug for Checkpoint:

I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.

# nmap -sT -P0 -v -p 21,80 192.36.x.x
...
Interesting ports on public.host.net (192.36.x.x):
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
0,sackOK,eol>
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0

http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304

What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.

"It's not a bug, it's a feature"

-- 
Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ