General discussion

Locked

Checkpoint NG

By McKing ·
The firewall-1 logfile contains the following entry, and I have yet to find any reason why any ideas?

th_flags 14 message_info TCP Packet out of state.

Thanks in advance.

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Checkpoint NG

by joematus In reply to Checkpoint NG

This is the NG version of the Version 4.1 error message "unknown established TCP packet". What this means is that the firewall is seeing a packet with the ACK flag set and there is no entry for this connection in the state table. From the firewall's point of view it's getting an ACK response and when was no FIN packet sent.

There could be many reasons for this. One could be is that someone is scanning you with the ACK flag set trying to get past non-stateful firewalls. Another could be that the connection timed out and was flushed out the state table. What I see all the time has to do with http connections. Someone is looking at their favorite web page and walks away from their computer. Say that the tcp timeout is one hour. Onehour after the user walks away from the computer the connection is flushed from the table. But the web server now wants to send some ad from doubleclick.com and the firewall does not see this connection in its table so it's dropped.

Checkpoint came out with this in a security patch, which deals with how the firewall handles established TCP connections. This was in response to a demonstration at the Black Hat Convention in Las Vegas in the summer of 2000 which showed vulnerabilities in the Firewall-1 software. It was shown that Firewall was vulnerable to a denial of service attack because of the way Firewall-1 handled established connections. The Black Hats also demonstrated a more serious vulnerability. A live demonstration provedthat it was possible to bypass Firewall-1's normal directionality check by using specially fragmented TCP connection requests in conjunction with certain complex multi-connection protocols. In other words, it was possible under certain conditions to get through the firewall. Checkpoint's response was immediate because the Black Hat Convention is an annual convention of hackers discussing breakthroughs in hacking.

Hope thi

Collapse -

Checkpoint NG

by joematus In reply to Checkpoint NG

Oops,

Correction:

What I meat to say was in the first paragraph was that

"From the firewall's point of view it's getting an ACK response and when was no *SYN* packet sent."

Collapse -

Checkpoint NG

by McKing In reply to Checkpoint NG

Thats all I needed to know :). Much appreciated.

Collapse -

Checkpoint NG

by McKing In reply to Checkpoint NG

This question was closed by the author

Back to Security Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums