[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: NT DoS on FW-1 (fwd)
From:       Matt <matt () USE ! NET>
Date:       1999-07-31 2:14:49
[Download RAW message or body]

A FireWall-1 NT denial of service was actually discovered/discussed on
bugtraq in February using similar methodologies to those described by
Lance Spitzner in his recent mail. This is one of the public posts,
but there was quite a bit of discussion in private mail as well.

To summarize: Someone was claiming that this problem was not in
FireWall-1 NT, but NT's IP stack that was causing the crash. I was fairly
certain this was not the case, as I had just done quite a bit of testing against NT 4.0
SP4 at the time with nmap. I had followed up by testing FireWall-1 NT
v4.1, and it did crash (the NT service shot up to 100% CPU usage) when
several spoofed SYN scans were run against it's untrusted interface. The
difference between this attack and the one Lance has described is that
this attack appeared to work against both the trusted and untrusted
interfaces, and can be performed over multiple hops.

An interesting addition--I also noticed that when pinging the
untrusted/external interface of FireWall-1 NT v4.1 with large (>32k) ping
packets, there seemed to be incremental growth of non-paged kernel memory
(viewable in Task Manager, on the Performance tab). I didn't have time to
test this to see if it capped off after a certain point or not, though. If
it is incremental, this is another denial of service that could be
performed from a remote untrusted network.

I would be interested to find out if either of these problems continue to
manifest themselves in the latest versions of FireWall-1 NT and Solaris.
If anyone has a FireWall-1 installation handy, it shouldn't take but a
minute to test.

ttyl


-----------------------------------------
Matt Hargett
mailto:matt@use.net
http://www.clock.org/~matt



---------- Forwarded message ----------
Date: Sun, 21 Feb 1999 17:43:44 -0600 (CST)
From: Matt Hargett <hargett@wintermute.cityscape.net>
To: bugtraq@netspace.org
Cc: malikai@INTERACTIVEALIEN.COM
Subject: RE: NT DoS on FW-1

>This issue can be fixed by simply implementing a stealthing rule on the
>firewall itself. The problem is in NT's stack, not the FireWalls.
>
> Jamie Thain wrote:
>
> > Timothy,
> >
> > > I was running nmap against a client's Checkpoint FW-1
> > > when they called to inform me that it had crashed.  I
> > > was not on site so unfortunately I have little
> > > details.
> >
> > I have seen this befor where a high speed port scanner running against
a
> > FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on
> > Sun. You may want to check and make sure you have the most recent
patch
> > level. That information is on the FW-1 site.
> >
> > > I DO know that they were running it on a NT
> > > box and it was behind a Cisco 3640.

I have done a bit of testing using nmap against NT 4.0 with
SP4. My findings were that plain NT 4.0 SP4 doesn't
crash/behave erratically by itself with the many instances of nmap
options that I tried. Certainly not a simple SYN scan with OS
fingerprinting.

What exactly is the problem in NT's stack and how exactly can you measure
it's adverse reaction? I was looking under task manager at the nonpaged
kernel memory, process, thread, and handle counts.


-----------------------------------------
Matt Hargett
http://www.cityscape.net/~hargett
matt@use.net

sex on the TV, everybody's at it
and the mind gets dirty
as you get closer
to thirty

[prev in list] [next in list] [prev in thread] [next in thread]