Re: Checkpoint SYN DoS Vulnerability

["sanjay naik" <sanjaynaik@xxxxxxxxxxx>]

Pawel,

We have done a complete test using TCPdump on the checkpoint side and 
Tethereal on the scanner side. We have tested this on atleast 3 dfferent 
firewalls and found the same issue with our scans.

SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response 
after seeing the results of the scan has been that SYNdefender is still 
functional even if we disable it and valid authorized scans won't be allowed 
from the firewall as that is a product limitation!

I don't agree this is a feature as that would be absurd. SYN Attack 
Protection is not enabled on the firewalls. The scans are being done from 
the Internal interface of the firewall and not the external interface. The 
firewall has a rule to accept ANY services for the scanner. The scans are 
sometimes successful and sometimes they get garbaged and how does that make 
it a feature?

Look closely at the NMAP results I had sent. Those are the scans to the same 
host using the same NMAP options at 2 different times. I hope you see it 
now.

There is no doubt on the fact that this is a bug and not a feature.

Regards,
Sanjay Naik, CISSP
Sr. Security Consultant


----Original Message Follows----
From: "Pawel Worach" <pawel.worach@xxxxxxxxx>
To: sanjaynaik@xxxxxxxx
CC: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Checkpoint SYN DoS Vulnerability
Date: Tue, 16 May 2006 21:23:46 +0200

On 5/16/06, sanjay naik <sanjaynaik@xxxxxxxxxxx> wrote:

> When a scan is intiated from the Inside interface of Checkpoint firewall,
> the firewall responds with bogus information intermittently. I would like 
> to
> submit the following bug for Checkpoint:

I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.

# nmap -sT -P0 -v -p 21,80 192.36.x.x
...
Interesting ports on public.host.net (192.36.x.x):
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
0,sackOK,eol>
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0

http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304

What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.

"It's not a bug, it's a feature"

--
Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement