From: Lance Spitzner [spitzner@DIMENSION.NET] Sent: Thursday, July 29, 1999 12:26 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Simple DOS attack on FW-1 Oh great wise one. I would not have thought this worthy of Bugtraq, accept that it is so brain dead simple, yet extremely deadly. Also, you can just as easily DOS yourself with this by accident. I've stumbled across a simple Denial of Service attack for FW-1, many of you may already be aware of this. You can effectively shutdown FW-1 by filling its connections table. This is easily done in about 15 minutes with most port scanners. When FW-1's state connections table is full, it can no longer accept any more connections (usually between 25,000-35,000 connections, depending on your system). You can increase this number by increasing kernel memory for the FW-1 module and hacking ../lib/table.def) However, a port scanner can build that many connections in a manner of minutes. FW-1 tears down a connection whenever it sees a FIN or RST packet. However, if you scan a system that does not exist, the FW builds a connection in its table for every new packet, but will never see a FIN or RST because there is no system to respond. The default TCP timeout time on FW-1 is 3600 seconds. So all these new connections that are genereated will sit in FW-1's connections table for an hour. You should now understand how easy it is to fill the connections table. Any malicious black-hat or disgruntled employee can fill your connections table. Many organiztion allow all outbound traffic. Someone can simply scan a non-existant target outbound and fill the connections table. They even can be sneaky about it and use nmap with the'-D' option, so someone else gets blamed for the scanning activity. The main reason I consider this 'exploit' dangerous, is not only is it easy for any black-hat to do, but it is very easy for you to do accidently (as I did :). Imagine you are asked to verify a system. You fire up your port scanner and start scanning several systems. However, you do not realize that you fat fingered the systems and are now scanning non-existant IPs. 15 minutes later you are getting calls that no new connections can be made through the firewall :( Several things you can do to protect yourself. 1. Build up your connections table (see www.phoneboy.com) 2. Decrease you TCP timeout (default is 1 hour) 3. Deny as much traffic as you can. If the packet is denied, it never enters the connections table. 4. Set up alerts if someone is generating ALOT of new sessions. For more information on FW-1's state connections table, see http://www.enteract.com/~lspitz/fwtable.html Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc