From cpsuppor@ts.checkpoint.com Thu Aug 12 21:56:31 1999
Date: Tue, 10 Aug 1999 23:27:36 -0500
From: Check Point Support <cpsuppor@ts.checkpoint.com>
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] ACK Dos Attack

This message is a follow up to the Check Point response to the ACK DOS
attack posted last week.  Check Point has developed INSPECT code changes
that provides a solution for this type of attack.  This code change enables
Check Point gateways to drop non-first TCP packets instead of matching the
rule base.  It should be noted that this INSPECT fix will cause a change of
behavior from the existing Check Point gateway behavior in the following
way: following a reboot, policy unload or stopping the firewall, all active
TCP connections will be blocked, and that any timed out TCP connections
(i.e., connections that have been inactive longer than the TCP timeout) will
be disconnected. The ability for FireWall-1/VPN-1 to maintain connections
after policy reload will not be affected by this change.

For those with UNMODIFIED $FWDIR/lib/code.def files, you can go to the Check
Point web site and download Check Point updated files (go to:
http://www.checkpoint.com/techsupport/alerts/ackdos.html).  Another option
is to edit the code.def files as described below.

Check Point 4.0-based Installations:
The following INSPECT code (between the two lines starting with "-----")
should be added to the $FWDIR/lib/code.def file (at the end of the file,
just before the #endif statement).  NOTE: if you are managing V3.0 modules,
using the 4.0 backwards compatibility feature, please make the changes to
the V3.0 code.def file (located in $FWDIR/lib30), as described in the "Check
Point 3.0-based Installations".  After completing the edit, re-install the
security policy.  For 4.0-based installations, this code will also log these
events.

----- 4.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
                tcp, first or <conn> in old_connections or


#ifndef NO_NONFIRST_RULEBASE_MATCH_LOG


                        <ip_p,src,dst,sport,dport,0> in logged
                ) or

                        record <ip_p,src,dst,sport,dport,0> in logged,
                        set sr10 12, set sr11 0, set sr12 0, set sr1 0,
                        log bad_conn
                ) or 1,
#endif
                vanish
                );
#endif
----- End of 4.0 insert -----

Check Point 3.0-based Installations:
The following INSPECT code (between the two lines starting with "-----")
should be added to the $FWDIR/lib/code.def file (at the end of the file,
just before the #endif statement).  After completing the edit, re-install
the security policy.

----- 3.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
        tcp, first or <conn> in old_connections or vanish;
#endif
----- End of 3.0 insert -----

Thank you,

Check Point Support



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================