| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 26 00:45:56 2005 From: sixsigma98 at hotmail.com (Ray P) Subject: Checkpoint VPN DoS woes Hi J., I guess I'm missing something. If the spoofed source address was 10.10.10.10 and it originated from the internal network, then it would have had to get to the Check Point firewall via some route you have set up or the default route. When a packet hits a Check Point interface and it's source IP is not from that segment as defined in the anti-spoofing topology, Check Point will drop it. In fact I monitor spoofing drops daily just to see what's going on in the world. "After a reboot of both the router and the Linux server" - What router? The one between the Check Point internal interface and your LAN? Since this involves a SofaWare box, you probably would do better to post it on the Discussion Groups at www.sofaware.com . Those are official support forums and they do monitor and reply to postings frequently. You also might want to try the 5.0.92 firmware as that's what is current. Ray >From: "J. Oquendo" <sil@...iltrated.net> >To: full-disclosure@...ts.grok.org.uk >Subject: [Full-disclosure] Checkpoint VPN DoS woes >Date: Tue, 20 Sep 2005 14:50:28 -0400 (EDT) > > >While tinkering with my VPN connections, servers, firewalls and routers, I >brang down the network to its knees with an attack from one machine to >itself using a spoofed private address. The program I was using was >something I wrote and it shredded my Checkpoint and its VPN's to oblivion >both internally and externally. This is what syslog-ng reported before the >connection was toasted... > >Sep 20 13:06:09 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:13 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:19 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:20 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:26 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:32 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:38 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:08:50 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:10:56 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 >Sep 20 13:13:02 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An >internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6 > >I had to connect to my firewall from an outside source because my >internal connection (10.1.11.0/24 range) was unable to both send or >receive any kind of packets. Seems like the program choked the firewall. >After a reboot of both the router and the Linux server I set up to do my >pentest, the router was still choked until I shut down the Linux machine. >All of this with 149 packets... > >[root@...es log]# uname -a >Linux hades 2.6.9-11.ELsmp #1 SMP Wed Jun 8 17:54:20 CDT 2005 i686 i686 >i386 GNU/Linux > >Network would not come back up without this machine being offline. Linux >machine was choked to shreds as well. Won't post code for now but I would >like someone over at Checkpoint to have a browse at it to assess what went >on. Addresses and names are obviously removed. Again... Someone at >Checkpoint or better. People looking for stupid DoS tools will not receive >a response, this message is not meant for you - or j0o however you want to >be addressed. > ># ssh xxxxx@....xxx.xxx.xxx >xxxxx@....xxx.xxx.xxx's password: >Welcome to Safe@...ice 425W, unlimited nodes 5.0.90x 00:08:da:xx:xx:xx > > >show vpn sites > 1: > disabled false > name NYCFW > gateway xxx.xxx.xxx.2 > gateway2 undefined > loginmode automatic > configmode automatic > authmethod certificate > type sitetosite > keepalive disabled > bypassnat enabled > bypassfw enabled > user xxxxxxx > password "" > topopass xxxxxxxxxxx > net1 undefined > netmask1 undefined > net2 undefined > netmask2 undefined > net3 undefined > netmask3 undefined > usepfs false > phase1ikealgs automatic > phase1exptime 0 > phase2ikealgs automatic > phase2exptime 0 > phase1dhgroup automatic > phase2dhgroup automatic > dnsname xxx.xxx.xxx.2 > > 2: > disabled false > name MAFW > gateway xxx.xxx.xxx.100 > gateway2 undefined > loginmode automatic > configmode automatic > authmethod certificate > type sitetosite > keepalive disabled > bypassnat enabled > bypassfw enabled > user xxxxxxx > password "" > topopass xxxxxxxxxxx > net1 undefined > netmask1 undefined > net2 undefined > netmask2 undefined > net3 undefined > netmask3 undefined > usepfs false > phase1ikealgs automatic > phase1exptime 0 > phase2ikealgs automatic > phase2exptime 0 > phase1dhgroup automatic > phase2dhgroup automatic > dnsname xxx.xxx.xxx.100 > > >=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ >J. Oquendo >GPG Key ID 0x97B43D89 >http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 > >"Just one more time for the sake of sanity tell me why > explain the gravity that drove you to this..." Assemblage >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists