Firewall-1 DoS/ jolt2.c and cpd.c
HistoryIn June 2000, Lance Spritzner identified a possible Denial of Service
(DoS) condition on Firewall-1 involving large IP fragments. Although
further studies have left some doubt over the exact conditions under
which the DoS works, programs such as jolt2.c can cause CPU
utilization to hit 100% and ultimately cause Checkpoint FEW-1 to crash
on multiple platforms.
Furthermore, Firewall-1 is apparently unable to cope with spoofed
packets containing the same IP address as itself, with a different MAC.
Although anti-spoofing is a standard feature of Firewall-1,
configuration errors may permit packets to arrive at the interface,
causing the DoS.
Overview
Attackers have historically used fragmented IP packets as a way to pass
dangerous packets through a filtering device undetected. More
sophisticated devices, such as Firewall-1, therefore reassemble
fragmented IP packets before analyzing, and if appropriate passing,
them to their intended destination. Due to the way in which the
Firewall Module Kernel logs particular fragmentation events, a stream
of large IP fragments can cause the write mechanism to utilize all host
CPU resources.
Further research published in the Firewall-1 Mailinglist by Stephen
Gill, Brian Fernald and Rob Thomas at IBM showed that the issue may
not be one of IP fragmentation, but rather one of load. Their research
showed that any tool capable of producing a steady stream of IP
packets had the potential to increase the CPU load to 100% with either
malformed or valid IP packets.
No comments:
Post a Comment