Check Point Information for VU#539363

State-based firewalls fail to effectively manage session table resource exhaustion



Vendor Statement

CERT VU#539363 describes various mechanisms which could be used to exhaust the session tables on state-based firewalls, thereby blocking legitimate connections. Current Check Point VPN-1/FireWall-1 products offer excellent protection against session table exhaustion, and are not vulnerable to the special attack variants described in this vulnerability note. Special enhancements have been added to Feature Pack 3, and within SmartDefense, to assist Check Point’s customers in dealing with such issues. Check Point recommends that security products be kept up to date, for the highest levels of security and performance.

TCP SYN Flood:
Check Point offers SYNdefender as an integral feature of FireWall-1. This feature has been substantially enhanced in Check Point’s SmartDefense product, which offers automatic passive/active switching for the highest level of security without performance compromise.

UDP Flood:
A properly configured firewall rulebase will allow very few inbound UDP connections with no restrictions on source IP addresses. In most deployments, only DNS queries would be allowed into a network in this manner (and then only if an organization is hosting its own DNS server). Check Point’s DNS validation code will ensure that inbound packets are, in fact, valid DNS queries. In addition, UDP timeouts in VPN-1/FireWall-1 NG FP3 have been lowered (and are configurable) for added protection.

VPN-1/FireWall-1 NG FP3 has an additional feature to deal with non-TCP Floods: Session Table Allocation, which allows the administrator to reserve a certain number of connection table entries for TCP connections, which are more likely to be used for mission-critical traffic (such as web and email). Even if a flood of UDP (or any other non-TCP) packets "succeeds" in using up many connection table slots, this will not reduce the number of TCP sessions the administrator has reserved - email, ftp, and web traffic would be unaffected by a non-TCP Flood.

Crikey CRC Flood:
This type of attack has no special impact on VPN-1/FireWall-1. An incoming TCP or UDP packet with an invalid CRC must be one of the following:
1) a TCP SYN packet, which is handled by Check Point’s standard SYN flood protection
2) a non-SYN TCP packet, which will be discarded by the firewall since it does not match an existing connection
3) a UDP packet, which is handled by Check Point’s standard UDP protection

It is important to note that Check Point does not create a session table entry simply because it receives a non-SYN packet which matches the rule base.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.