Network DOS? attack question

bbeck · ‎01-20-2004

I have recently had some issues that appeared to be a DOS attack on our network. We currently have an outside company maintaining our PIX and I wanted to verify some information that was given to me from this company.

We are converting from a Frame Relay network with a PIX on the other side of the frame circuit, to a local PIX. We had the old router 10.x.x.1 connected to our Frame Circuit as well as the local PIX 10.x.x.3 connected directly to our Internet T1 when this happened (over the weekend while we were out).

The gateway on the server that was affected was set to the frame router 10.x.x.1. I happened to look at the config on the PIX after the problem and noticed that the Conduit to the affected server was configured to allow ANY IP port incoming to be redirected to that server, instead of just the one port we wanted open. We have been running off the Frame circuit for a year without any issues with the remote PIX.

According to the outside company, because the gateway on the server was set to 10.x.x.1, no one would be able to come in thru the 10.x.x.3 PIX and do anything to that server even though the config file left that server wide open. Also, there was one of those Winpopup ads about protecting your PC on that server (Win2k Adv Server SP2, SQL 2000 SP2, yes I know I need to patch these) that wasn't there before the new PIX was plugged in. We had to disconnect the PIX and reboot the server before our network went back to normal.

It just sounds way to coincidental that we have this problem during the same time they messed up. Thanks in advance.

bbeck · ‎01-21-2004

I guess I didn't really ask a clear question here, what I am trying to find out is whether or not you can attack a server if it has been opened through a conduit in the PIX but the server has a different gateway back to the web.

bfl1 · ‎01-21-2004

Depends on the type of attack... If I NEED to establish a connection and hear back from the server, then there would be problems... but with an ICMP Smurf attack or a TCP SYN flood... I could care less if the server even HAS a default gateway... If I send a syn packet to the server and it responds to it's default gateway and the gateway doesn't have a route to my ip address, then the router will send an icmp destination unreachable (type 3) - as defined by RFC 1812 "Requirements for IP Version 4 Routers"... the server being attacked sees the icmp destination unreachable and resends the message, ignoring the error message from the router because it may indicate a temporary glitch in the network.. the router responds with a type 3 icmp and again the server ignores and responds again... So, yes, even if the server doesn't have a proper default gateway it can be a victim of a DoS... In this situation, you can get a 16:1 packet ratio from a single SYN packet.. I send one syn packet and up to 16 more packets are generated by sending data back and forth to the router... imagine this being performed in a distributed dos and you can see why your server can be stopped...

Hope this helps.