Hi J.,
I guess I'm missing something. If the spoofed source address was 10.10.10.10
and it originated from the internal network, then it would have had to get
to the Check Point firewall via some route you have set up or the default
route. When a packet hits a Check Point interface and it's source IP is not
from that segment as defined in the anti-spoofing topology, Check Point will
drop it. In fact I monitor spoofing drops daily just to see what's going on
in the world.
"After a reboot of both the router and the Linux server" - What router? The
one between the Check Point internal interface and your LAN?
Since this involves a SofaWare box, you probably would do better to post it
on the Discussion Groups at www.sofaware.com . Those are official support
forums and they do monitor and reply to postings frequently. You also might
want to try the 5.0.92 firmware as that's what is current.
Ray
From: "J. Oquendo" <[EMAIL PROTECTED]>
To: [email protected]
Subject: [Full-disclosure] Checkpoint VPN DoS woes
Date: Tue, 20 Sep 2005 14:50:28 -0400 (EDT)
While tinkering with my VPN connections, servers, firewalls and routers, I
brang down the network to its knees with an attack from one machine to
itself using a spoofed private address. The program I was using was
something I wrote and it shredded my Checkpoint and its VPN's to oblivion
both internally and externally. This is what syslog-ng reported before the
connection was toasted...
Sep 20 13:06:09 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:13 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:19 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:20 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:26 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:32 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:38 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:08:50 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:10:56 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
Sep 20 13:13:02 xxx.xxx.xxx.2 00:08:da:70:21:61 <50002> packet (An
internal error has occurred.) Src:10.10.10.10 Dst:10.1.11.240 IPP:6
I had to connect to my firewall from an outside source because my
internal connection (10.1.11.0/24 range) was unable to both send or
receive any kind of packets. Seems like the program choked the firewall.
After a reboot of both the router and the Linux server I set up to do my
pentest, the router was still choked until I shut down the Linux machine.
All of this with 149 packets...
[EMAIL PROTECTED] log]# uname -a
Linux hades 2.6.9-11.ELsmp #1 SMP Wed Jun 8 17:54:20 CDT 2005 i686 i686
i386 GNU/Linux
Network would not come back up without this machine being offline. Linux
machine was choked to shreds as well. Won't post code for now but I would
like someone over at Checkpoint to have a browse at it to assess what went
on. Addresses and names are obviously removed. Again... Someone at
Checkpoint or better. People looking for stupid DoS tools will not receive
a response, this message is not meant for you - or j0o however you want to
be addressed.
# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Welcome to [EMAIL PROTECTED] 425W, unlimited nodes 5.0.90x 00:08:da:xx:xx:xx
>show vpn sites
1:
disabled false
name NYCFW
gateway xxx.xxx.xxx.2
gateway2 undefined
loginmode automatic
configmode automatic
authmethod certificate
type sitetosite
keepalive disabled
bypassnat enabled
bypassfw enabled
user xxxxxxx
password ""
topopass xxxxxxxxxxx
net1 undefined
netmask1 undefined
net2 undefined
netmask2 undefined
net3 undefined
netmask3 undefined
usepfs false
phase1ikealgs automatic
phase1exptime 0
phase2ikealgs automatic
phase2exptime 0
phase1dhgroup automatic
phase2dhgroup automatic
dnsname xxx.xxx.xxx.2
2:
disabled false
name MAFW
gateway xxx.xxx.xxx.100
gateway2 undefined
loginmode automatic
configmode automatic
authmethod certificate
type sitetosite
keepalive disabled
bypassnat enabled
bypassfw enabled
user xxxxxxx
password ""
topopass xxxxxxxxxxx
net1 undefined
netmask1 undefined
net2 undefined
netmask2 undefined
net3 undefined
netmask3 undefined
usepfs false
phase1ikealgs automatic
phase1exptime 0
phase2ikealgs automatic
phase2exptime 0
phase1dhgroup automatic
phase2dhgroup automatic
dnsname xxx.xxx.xxx.100
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
"Just one more time for the sake of sanity tell me why
explain the gravity that drove you to this..." Assemblage
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
