Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap brings CheckPoint Firewall-1 down
From: Matt Hargett <matt () use net>
Date: Tue, 14 Jun 2005 13:19:46 +0000

Marc Ruef wrote:
Has somebody else seen such a behavior and know how to re-configure FW1, Nessus and/or nmap to get a stable 
environment for the usual Nessus testing? A possible workaround would be to de-activate nmap/postscanning within the 
Nessus testing. But this does not eliminate the danger of such a weak installation as it tends to be in place. One of 
our workaround approach was to optimize the FW1 configuration. First of all we implemented a connection limit to 100 
connections per host. This made some really nasty false negatives during the mapping, nmap and Nessus scanning. 
Furthermore we implemented SYN flood detection to 100 half-open connections. This was able to prevent the full DoS. 
But partially a timeout could be detected. A full break-down of the firewalls was not possible anymore. False 
negatives are still given.

I saw similar behaviour in several different firewall and VPN products 
using nmap and isic while working at a job in 1998. There were bugs in 
the code -- no configuration seemd to help things.

In one case, their connection-state table in kernel memory grew 
unchecked, causing the kernel to run out of nonpaged memory, and 
resulting in a null pointer reference after kmalloc() started failing.

Check out my slides from defcon 7 or 8 about testing, it is still very 
effective from what I have seen.

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]