Re: Checkpoint SYN DoS Vulnerability
Pawel,
We have done a complete test using TCPdump on the checkpoint side and
Tethereal on the scanner side. We have tested this on atleast 3 dfferent
firewalls and found the same issue with our scans.
SYNdefender is disabled on the Nokia/Checkpoint firewall. Nokia's response
after seeing the results of the scan has been that SYNdefender is still
functional even if we disable it and valid authorized scans won't be allowed
from the firewall as that is a product limitation!
I don't agree this is a feature as that would be absurd. SYN Attack
Protection is not enabled on the firewalls. The scans are being done from
the Internal interface of the firewall and not the external interface. The
firewall has a rule to accept ANY services for the scanner. The scans are
sometimes successful and sometimes they get garbaged and how does that make
it a feature?
Look closely at the NMAP results I had sent. Those are the scans to the same
host using the same NMAP options at 2 different times. I hope you see it
now.
There is no doubt on the fact that this is a bug and not a feature.
Regards,
Sanjay Naik, CISSP
Sr. Security Consultant
----Original Message Follows----
From: "Pawel Worach" <pawel.worach@xxxxxxxxx>
To: sanjaynaik@xxxxxxxx
CC: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Checkpoint SYN DoS Vulnerability
Date: Tue, 16 May 2006 21:23:46 +0200
On 5/16/06, sanjay naik <sanjaynaik@xxxxxxxxxxx> wrote:
When a scan is intiated from the Inside interface of Checkpoint firewall,
the firewall responds with bogus information intermittently. I would like
to
submit the following bug for Checkpoint:
I do not see this problem with NGX R60 on Nokia IPSO 4.0 running a
default configuration of VPN-1.
Here is how a scan of a Internet host looks from a box behind the firewall.
Port 21 is closed and port 80 is open on the Internet host.
# nmap -sT -P0 -v -p 21,80 192.36.x.x
...
Interesting ports on public.host.net (192.36.x.x):
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
tcpdump says everything is sane, ftp attempt:
21:04:08.390785 IP proxy1.58058 > public.ftp: S 515488128:515488128(0)
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 761562441
0,sackOK,eol>
21:04:08.394963 IP public.ftp > proxy1.58058: R 0:0(0) ack 515488129 win 0
http attempt:
21:04:08.390810 IP proxy1.58059 > public.http: S
2222076892:2222076892(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 761562441 0,sackOK,eol>
21:04:08.394968 IP public.http > proxy1.58059: S
1188563319:1188563319(0) ack 2222076893 win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 885493884 761562441>
21:04:08.394993 IP proxy1.58059 > public.http: . ack 1 win 33304
<nop,nop,timestamp 761562445 885493884>
21:04:08.395036 IP proxy1.58059 > public.http: R 1:1(0) ack 1 win 33304
What CheckPoint products are enabled on the firewall ? What are the
SmartDefense settings for "TCP/SYN Attack Configuration" ? If "SYN
Attack protection" is enabled the firewall does what it's told to do.
After x packets/timeout it will switch to SYN relay mode and will do
the three-way handshake on behalf of the destination host. This
feature is normally only enabled on the external interface.
"It's not a bug, it's a feature"
--
Pawel Worach
Security Specialist, SDO Networks
NP/IBM Sweden
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement