Monday, 7 January 2008

Denial of Service (DoS)

Denial of Service (DoS) and Checkpoint Application Intelligence
A Denial of Service (DoS) attack is intended to interrupt the normal functioning of a system, site or service. This disruption is characteristically achieved either by overpowering the target with forged packets until it may no longer answer legitimate requests or to exploit operating systems, application and system vulnerabilities in order to crash the system remotely. Dos attacks are commonly used in order to remove hosts in order for an attacker to start a MITM attack (Monkey in the Middle).

Checkpoint SmartDefense provides reinforcement capabilities that aid in defending against many common classes of DoS attacks.

Aggressive Aging
Aggressive Aging manages the connections table capacity and the memory consumption of the firewall in to order to increase durability and stability. Aggressive Aging uses a new set of short timeouts called aggressive timeouts. When a connection is idle for longer than its defined aggressive timeout, it is marked as eligible for deletion. When the connections table or memory consumption reaches a certain user defined threshold (highwater mark), Aggressive Aging begins to operate. Aggressive Aging timeouts are also configurable per service.

Once the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the eligible for deletion list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below a certain low watermark.

If there are no "eligible for deletion" connections, no connections are deleted at that time but the list is checked after each subsequent connection that exceeds the highwater mark. Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

The major benefit of Aggressive aging is that is starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chance to encounter connectivity problems that might have occurred under low resources conditions.
Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a DoS attack.

TearDrop
In implementing the TCP/IP protocol stack, a number of systems fail to correctly deal with the reassembly of overlapping IP fragments (see http://insecure.org/sploits/linux.fragmentation.teardrop.html for details).
Conveying multiple IP fragments to the target that are created with overlapping fragment offsets where one fragment is completely enclosed inside the offset of the other can result in the host incorrectly allocating memory. This would remotely crash the vulnerable system that received the packets. TearDrop is a widely available attack tool that exploits this vulnerability. TearDrop is closely related to "syndrop", a modified version that exploits an Microsoft SYN sequence bug.

SmartDefense blocks attacks that rely on overlapping IP fragment offsets. The default action is to block attacks and log these as as “Virtual defragmentation error: Overlapping fragments”. Checkpoint SmartDefense blocks this attack by default and provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

Ping of Death
The “Ping of Death” is a malformed PING request that is sent in a series of fragment packets, which when reassembled by the target exceeds the maximum IP packet size (65,535 octets). This results in the system that is vulnerable crashing (see http://insecure.org/sploits/ping-o-death.html for details).

SmartDefense blocks this attack by default. Blocked attacks are logged by the firewall with “Virtual defragmentation error: Packet too big”. SmartDefense provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

LAND
The LAND attack involves the attacker sending a TCP SYN packet (a connection initiation), giving the target with both the both source and destination addresses set as the targets address. It also uses the same port on the target host as both source and destination. Land.c is an easily obtainable attack tool designed to exploit this vulnerability (see http://insecure.org/sploits/land.ip.DOS.html for further information).

Checkpoint SmartDefense blocks this attack by default and provides the administrator with the capability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.

Non-TCP Flooding
An attacker will sometimes directly target security devices like firewalls. In advanced firewalls, state information about connections is maintained in a state table. The state table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic in an effort to fill up a firewall’s state table. This results in a Denial of Service by preventing the firewall from accepting new connections. Unlike TCP, non-TCP traffic does not provide mechanisms to “reset” or clear a connection.

SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a CheckPoint enforcement point’s state table. This eliminates the possibility of this type of attack.

No comments: