This message is a follow up to the CheckPoint response to the ACK DoS attack posted last week. CheckPoint has developed INSPECT code changes that provides a solution for this type of attack. This code change enables CheckPoint gateways to drop non-first TCP packets instead of matching the rule base. It should be noted that this INSPECT fix will cause a change of behavior from the existing Check Point gateway behavior in the following way: following a reboot, policy unload or stopping the firewall, all active TCP connections will be blocked, and any timed out TCP connections (i.e., connections that have been inactive longer than the TCP timeout) will be disconnected. The ability for FireWall-1/VPN-1 to maintain connections after policy reload will not be affected by this change.
For those with unmodified $FWDIR/lib/code.def files, you can go to the CheckPoint web site and download CheckPoint updated files (go to: http://www.checkpoint.com/techsupport/alerts/ackdos.html). Another option is to edit the code.def files as described below.
CheckPoint 4.0-based Installations:
The following INSPECT code (between the two lines starting with "-----") should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). NOTE: if you are managing V3.0 modules, using the 4.0 backwards compatibility feature, please make the changes to the V3.0 code.def file (located in $FWDIR/lib30), as described in the "CheckPoint 3.0-based Installations". After completing the edit, re-install the security policy. For 4.0-based installations, this code will also log these events.
----- 4.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
tcp, first or <conn> in old_connections or
#ifndef NO_NONFIRST_RULEBASE_MATCH_LOG
<ip_p,src,dst,sport,dport,0> in logged
) or
record <ip_p,src,dst,sport,dport,0> in logged,
set sr10 12, set sr11 0, set sr12 0, set sr1 0,
log bad_conn
) or 1,
#endif
vanish
);
#endif
----- End of 4.0 insert -----
Check Point 3.0-based Installations:
The following INSPECT code should be added to the $FWDIR/lib/code.def file (at the end of the file, just before the #endif statement). After completing the edit, re-install the security policy.
----- 3.0 edit follows -----
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
tcp, first or <conn> in old_connections or vanish;
#endif
----- End of 3.0 insert -----
