|
Vulnerability Sonicwall Affected Sonicwall Description Leon Rosenstein found following. In the Sonicwall SoHo there is a limitation on the amount of connections that one can open. This sets up a denial of service scenario if one can "surpass" the limit. A denial of service condition exists if someone opens up more then 2048 connections. When this limit is surpassed the "cache" will overflow and it will begin to drop internal connections. A simple way to re-create this is to run a tcp port scan on a host on the wan. When you open up more then 2048 connection it will begin to "complain" via the log: 08/28/2000 10:18:46.368 - The cache is full; over 2048 simultaneous connections; some will be dropped - Source:10.1.1.6, 2119, LAN - Destination:xxx.xx.xx.xxx, WaN – At this point all future connections will have a much less likely chance of getting through as the port scanner saturates all remaining available connections. Solution All firewalls except dumb static packet filters suffer from it. Firewalls that can set per-destination or per-source or per-interface connection limits may limit the extent of the attack but it'll always be possible to do partial DoS on state tracking (yes, proxies are definately state tracking) firewalls by flooding their state table / process number limit / RAM / whatever. One big difference between different firewalls is how hard it is to flood the state table. On firewall-1, you can flood it real bad by sending in TCP ACK packets from random IPs, and there'll be no way to track you. On some others, you'll have to do the full SYN/SYNACK/ACK dance before you can really hurt the firewall, but that gives away your true source network.