lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bf0173120605181508k7b80f46cw2bdebeea552893da@mail.gmail.com>
Date: Fri, 19 May 2006 10:08:06 +1200
From: "Bojan Zdrnja" <bojan.zdrnja@...il.com>
To: "Erick Mechler" <emechler@...hometer.net>
Cc: sanjaynaik@...e.org, pawel.worach@...il.com,
	bugtraq@...urityfocus.com
Subject: Re: Checkpoint SYN DoS Vulnerability


On 5/17/06, Erick Mechler <emechler@...hometer.net> wrote:
> :: SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response
> :: after seeing the results of the scan has been that SYNdefender is still
> :: functional even if we disable it and valid authorized scans won't be
> :: allowed from the firewall as that is a product limitation!
>
> The most vocal piece of feedback I gave to CheckPoint back when I used
> their FW-1 products was to provide a Big Red Button(tm) to disable all of
> the SmartDefense functionality.  It was never made very clear to me, as the
> admin, when those things kicked-in, and how they would effect my traffic
> flow.  I haven't used FW-1 in the last 12 months, so this might have been
> addressed, but I can't say for sure.

It wasn't - that's the problem. As I said in my first post, I've
experienced numerous problems with the Smart Defense module, which
doesn't care what your rules are setup like.
You just can't allow *ALL* traffic to go to the destination. Smart
Defense seems to be working on a lower level than the rules (or has
higher priority, the end result is the same) so if the SD module finds
your traffic inappropriate, it will drop it no matter what's in the
rules.

That's why I suspected that the SYN Defense module gets activated no
matter what's in the rules.

So, a question for Sanjay: can you setup a tcpdump sniffer in front
and behind, just to log all packets. Then run your scans and see what
happens at the both ends. You can post pcap files somewhere so people
can look at them as well (just sanitize the IP addresses, if you need
to).

Cheers,

Bojan


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ