Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] New worm on the road?

To: [email protected]
Subject: Re: [FW1] New worm on the road?
From: Yves Belle-Isle <[email protected]>
Date: Mon, 24 Sep 2001 08:56:20 -0400
Sender: [email protected]

Oups, after taking time to think to the problem i realized than it
is impossible to DROP a connection which has to be examined by a
security server. The security server has to first accept it to see
the content of the request to decide to reject it or accept it,
so at that time any rule in the firewall cant drop it, just
reject it as it has already been open !

The problem with Nimda (I don't see many attack anymore) is than
it try to send all it's attack indiferently if it is rejected or
dropped, but if it is dropped, i.e no answer at all to the attack,
it wait the timeout period which slow down by a great factor the
attack rates.

At 13:24 2001-09-22 -0400, Yves Belle-Isle wrote:
>>>>

The problem is than with a HTTP Security server ressource to block NimDa even if you specify DROP in the
rule Securities Servers never DROP connection they ALWAYS REJECT them. For NimDA if you drop attack from
a source it will hit you about 1 probe/minute if you reject attack from a source it will attack you
10 to 20 times/sec because it seems it doesn't care about drop/reject when the attack gets a reject or
timeout (out) it send the next one.

The interesting thing is than i had a ressource to DROP (Read REJECT in the log...) CodeRED II attack,
i used a filter of *{NNNNN;XXXXX}* because other filters i tried like default.ida caused unrelated
traffic to be rejected to. This ressource did not reject Nimda virus but because the Nimda connections
where examined by the security server in the following rule, not using security ressources, where i
dropped connection for HTTP service except those to our HTTP server (Not running any form of MS HTTP server
because there are all real piece of shit!) those where Rejected and no Dropped because of a side effect
of the HTTP Ressource to katch CodeRed. I had to disable that Code Red ressource

As long as Nimda attack are dropped i get's less than 1KB/Sec traffic from it when i reject them
i get at least steady 50KB/Sec traffic from it.

I will open a trouble ticket with Checkpoint Support on the fact than if a connection is
inspected by a Secury Server it can't be DROPPED just REJECTED even if the DROP is in
rule without ressource after the rule with the ressource.

------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected]
Responsable des Systemes Tel:
Sogi Informatique Ltee. Fax:
------------------------------------------------------------

================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================

Prev by Date: RE: [FW1] NG on Nokia IP330
Next by Date: [FW1] how to make user authenticate
Previous by thread: RE: [FW1] New worm on the road?
Next by thread: RE: [FW1] New worm on the road?
Index(es):
- Date
- Thread