[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d227e09e0605161223m6d1f9cdfta6dac8ac0fe4e1b4@mail.gmail.com>
Date: Tue, 16 May 2006 21:23:46 +0200
From: "Pawel Worach" <pawel.worach@...il.com>
To: sanjaynaik@...e.org
Cc: bugtraq@...urityfocus.com
Subject: Re: Checkpoint SYN DoS Vulnerability
On 5/16/06, sanjay naik <sanjaynaik@...mail.com> wrote:
> When a scan is intiated from the Inside interface of Checkpoint firewall,
> the firewall responds with bogus information intermittently. I would like to
> submit the following bug for Checkpoint:
I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.
# nmap -sT -P0 -v -p 21,80 192.36.x.x
...
Interesting ports on public.host.net (192.36.x.x):
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
0,sackOK,eol>
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0
http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304
What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.
"It's not a bug, it's a feature"
--
Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden
Powered by blists - more mailing lists