CHECKPOINT FIREWALLS VULNERABLE TO TRIVIAL SYN FLOOD, Part 2

CHECKPOINT FIREWALLS VULNERABLE TO TRIVIAL SYN FLOOD, Part 2

===========================================================
THE VULNERABILITY PROVED TO BE STILL EXISTING!
100 KPPS OF TCP SYN STILL RESULTS IN A DOS CONDITION AND CONSUMES ALL CPU POWER.

THIS WAS TESTED MANY TIMES ON DIFFERENT BOXES.
THE LAST TESTS WERE MADE WITH A CHECKPOINT 21400 APPLIANCE.
===========================================================

On Oct 20th, 2012 I have published a micro-advisory at  describing the vulnerability of CP Firewalls against trivial TCP SYN flood attacks. I tested different CP boxes and found all boxes vulnerable to TCP SYN flood attacks. Sure, every firewall has limited capacity due to many reasons, but I am not talking about large scale SYN flood attacks. One single Linux VM was enough to break the CP firewalls tested. According to CP's very own data sheet the 21400 box we have tested is capable of handling 130.000 new connections per second, see http://bit.ly/Uz2inh  So the box should handle a SYN flood with a max. amount of 100.000 TCP SYN packets with ease, when it is idle - BUT IT DOES NOT! Always the tests result in a DoS condition and the box almost stops forwarding legitimate traffic.

After contacting CP and publishing the micro-advisory on Twitter, CP released a response at http://bit.ly/UbSmil - I got in touch with CP again and they told me about their secure knowledge article I mentioned before. CP tech-support gave me a fix (sk86721) to mitigate the SYN flood vulnerability. They asked me to install the fix and do the tests again.

In the meanwhile a public paper on installing and configuring the fix was released by CP in November 2012, see http://bit.ly/YAAldQ

So in December I was back in the lab again and did a new test with the fix installed (see http://pastebin.com/xdy5WT8c for test specs). During my tests I observed that CP Firewalls are STILL VULNERABLE even with the fix installed. I am in touch with CheckPoint and we are now going to make a new test series on this.

cheers,
-- @securityfreax