Date: Thu, 29 Jul 1999 12:26:17 -0400
From: Lance Spitzner <spitzner@DIMENSION.NET.>
To: [email protected]Subject: Simple DOS attack on FW-1
Oh great wise one. I would not have thought this
worthy of Bugtraq, accept that it is so brain dead
simple, yet extremely deadly. Also, you can just
as easily DOS yourself with this by accident.
I've stumbled across a simple Denial of Service attack for
FW-1, many of you may already be aware of this. You can
effectively shutdown FW-1 by filling its connections table.
This is easily done in about 15 minutes with most port
scanners.
When FW-1's state connections table is full, it can no longer
accept any more connections (usually between 25,000-35,000
connections, depending on your system). You can increase this
number by increasing kernel memory for the FW-1 module and
hacking ../lib/table.def) However, a port scanner can build
that many connections in a manner of minutes.
FW-1 tears down a connection whenever it sees a FIN or RST packet.
However, if you scan a system that does not exist, the FW
builds a connection in its table for every new packet, but will
never see a FIN or RST because there is no system to respond.
The default TCP timeout time on FW-1 is 3600 seconds. So all
these new connections that are genereated will sit in FW-1's
connections table for an hour. You should now understand
how easy it is to fill the connections table.
Any malicious black-hat or disgruntled employee can fill
your connections table. Many organiztion allow all
outbound traffic. Someone can simply scan a non-existant
target outbound and fill the connections table. They
even can be sneaky about it and use nmap with the'-D'
option, so someone else gets blamed for the scanning activity.
The main reason I consider this 'exploit' dangerous, is not only
is it easy for any black-hat to do, but it is very easy for you
to do accidently (as I did :). Imagine you are asked to
verify a system. You fire up your port scanner and start
scanning several systems. However, you do not realize that
you fat fingered the systems and are now scanning non-existant
IPs. 15 minutes later you are getting calls that no new
connections can be made through the firewall :(
Several things you can do to protect yourself.
1. Build up your connections table (see www.phoneboy.com)
2. Decrease you TCP timeout (default is 1 hour)
3. Deny as much traffic as you can. If the packet is denied,
it never enters the connections table.
4. Set up alerts if someone is generating ALOT of new sessions.
For more information on FW-1's state connections table, see
http://www.enteract.com/~lspitz/fwtable.html
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc
