Guest User

CheckPoint Firewalls vulnerable to simple syn flooding

a guest
Oct 20th, 2012
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. While making tests with several firewall vendors I found a major flaw within CheckPoint based firewalls. The flaw relies on the architecture of CheckPoint and obviously affects all firewall series of CheckPoint. An unauthenticated and remote attacker can DoS CheckPoint firewalls with a very simple SYN flood. The attack can be performed from a single Linux VM host. I had an ESX environment and fired up the syn flood from a single VM and broke all CheckPoint firewalls tested.
  3. ### Issues with hardware interrupt handling ###
  4. Since all CheckPoint firewalls are software based, they don't use any kind of FPGA or ASIC for acceleration. CheckPoint firewalls have an underlying x86 / x64 OS, so every hardware interrupt generated from the NICs has to be handled by a dedicated CPU. So the IRQ channel of the NIC (10G NIC have two IRQ channels) are attached to one of the CPUs available. One can attach multiple IRQ Channels to a single CPU, but one can assign the same IRQ channel only to one CPU at a time.
  6. ## Optimization ###
  7. So the first things to do is to distribute the IRQ channels over all available CPUs to get better performance. Without doing this large scale CheckPoint firewalls aren't able to use all CPU available.
  9. Following optimizations were made before testing:
  10. - distributed all NIC IRQ channels to different CPUs, only one NIC IRQ per CPU
  11. - activated delay sync for connections
  12. - activated TCP offloading
  13. - optimized NIC buffering
  14. - activated syn cookies
  15. - deactivated logging
  16. - tested with only one fw rule in place "permit any any" and also tested with "deny any any" rule
  17. - no NAT rules were in place
  18. - configured ethernet portchannels consisting of 8 links for better performance
  19. - .... etc......
  21. Since I made those tests for a very large customer, a dedicated CheckPoint Diamond Support engineer was onsite during all testing phases. The firewalls were optimized by CheckPoint, not be me. I have tested this on almost every new firewall appliance of CheckPoint: ...11000 Series, 21400 Series, with and without VSX virtualization. All tested firewalls were vulnerable.
  23. ### Proof of concept ####
  24. All you need is
  25. - a Linux machine to fire up the syn flood, you need to install the network tool hping3
  26. - a CheckPoint firewall as device under test
  28. Setup you lab and then execute the following command on the Linux VM, which will generate a TCP syn flood with maximum packets per second (the maximum value depends on your hardware, my max. was 140 kilo packets per second with a singe Linux VM)
  30. "hping3 -S -p 80 -–rand-source --flood --tcp-mss 1460 -L syn"
  31. (replace with an IP address behind your firewall)
  33. You can open a new shell and monitor outgoing packets per second with iptraf.
  34. If you reach 120 Kilo packets per second (kpps) you will be able to take down every CheckPoint firewall which is available today. During my tests I was able to to take down highly optimized firewalls with less than 120 kpps.
  36. ### conclusion ###
  37. Make the test by yourself, I know that this is hard to believe.
  38. CheckPoint is selling highly expensive firewalls which are in fact vulnerable to old fashioned syn flood attacks. Activating protections like syn cookies or rate limiting just consumed more CPU and made my syn flood attacks more effective instead of protecting the firewall and systems behind the firewall. I made this PoC for many customers, and they could not believe what they see. Some of my customers are going to change the firewall vendor, since CheckPoint could not do anything to survive my syn flood tests. Really sad...!!!
  40. contact @securityfreax if you need more information
RAW Paste Data