CheckPoint Firewalls vulnerable to simple syn flooding

1. While making tests with several firewall vendors I found a major flaw within CheckPoint based firewalls. The flaw relies on the architecture of CheckPoint and obviously affects all firewall series of CheckPoint. An unauthenticated and remote attacker can DoS CheckPoint firewalls with a very simple SYN flood. The attack can be performed from a single Linux VM host. I had an ESX environment and fired up the syn flood from a single VM and broke all CheckPoint firewalls tested.
2.  
3. ### Issues with hardware interrupt handling ###
4. Since all CheckPoint firewalls are software based, they don't use any kind of FPGA or ASIC for acceleration. CheckPoint firewalls have an underlying x86 / x64 OS, so every hardware interrupt generated from the NICs has to be handled by a dedicated CPU. So the IRQ channel of the NIC (10G NIC have two IRQ channels) are attached to one of the CPUs available. One can attach multiple IRQ Channels to a single CPU, but one can assign the same IRQ channel only to one CPU at a time.
5.  
6. ## Optimization ###
7. So the first things to do is to distribute the IRQ channels over all available CPUs to get better performance. Without doing this large scale CheckPoint firewalls aren't able to use all CPU available.
8.  
9. Following optimizations were made before testing:
10. - distributed all NIC IRQ channels to different CPUs, only one NIC IRQ per CPU
11. - activated delay sync for connections
12. - activated TCP offloading
13. - optimized NIC buffering
14. - activated syn cookies
15. - deactivated logging
16. - tested with only one fw rule in place "permit any any" and also tested with "deny any any" rule
17. - no NAT rules were in place
18. - configured ethernet portchannels consisting of 8 links for better performance
19. - .... etc......
20.  
21. Since I made those tests for a very large customer, a dedicated CheckPoint Diamond Support engineer was onsite during all testing phases. The firewalls were optimized by CheckPoint, not be me. I have tested this on almost every new firewall appliance of CheckPoint: ...11000 Series, 21400 Series, with and without VSX virtualization. All tested firewalls were vulnerable.
22.  
23. ### Proof of concept ####
24. All you need is
25. - a Linux machine to fire up the syn flood, you need to install the network tool hping3
26. - a CheckPoint firewall as device under test
27.  
28. Setup you lab and then execute the following command on the Linux VM, which will generate a TCP syn flood with maximum packets per second (the maximum value depends on your hardware, my max. was 140 kilo packets per second with a singe Linux VM)
29.  
30. "hping3 -S -p 80 -–rand-source --flood --tcp-mss 1460 -L syn 1.2.3.4"
31. (replace 1.2.3.4 with an IP address behind your firewall)
32.  
33. You can open a new shell and monitor outgoing packets per second with iptraf.
34. If you reach 120 Kilo packets per second (kpps) you will be able to take down every CheckPoint firewall which is available today. During my tests I was able to to take down highly optimized firewalls with less than 120 kpps.
35.  
36. ### conclusion ###
37. Make the test by yourself, I know that this is hard to believe.
38. CheckPoint is selling highly expensive firewalls which are in fact vulnerable to old fashioned syn flood attacks. Activating protections like syn cookies or rate limiting just consumed more CPU and made my syn flood attacks more effective instead of protecting the firewall and systems behind the firewall. I made this PoC for many customers, and they could not believe what they see. Some of my customers are going to change the firewall vendor, since CheckPoint could not do anything to survive my syn flood tests. Really sad...!!!
39.  
40. contact @securityfreax if you need more information