In reference to your recent posting regarding NetScreen's "ScreenOS Port Scan DoS Vulnerability" you will find attached our response. Please feel free to contact me directly if you have any further questions regarding this issue. Mike Kouri Senior Product Manager, ScreenOS NetScreen Technologies, Inc. 350 Oakmead Parkway, mailstop 500 Sunnyvale, California 94085 408-730-6206 =-=-=-=-=-=-=-=-=-=- February 5, 2002 NetScreen Response to: "NetScreen ScreenOS Port Scan DoS Vulnerability" This issue was reported to NetScreen on February 1, 2002 and simultaneously reported to BugTraq@SecurityFocus.com (visible as http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=4015), and SecurityTracker.com (http://securitytracker.com/alerts/2002/Feb/1003421.html), among others. The reported issue involves the initiation of a Port Scan against a host reachable via the "Untrust" interface from or by a user attached to the "Trust" interface of a NetScreen device, and potentially consuming all available sessions resulting in a denial of service attack against the "Trusted" network. If a port scan were initiated against a host that responded to the scans (with either ICMP unreachable or RST), the NetScreen device would immediately close each of the sessions established during the port scan, making them available for reuse. ScreenOS has a default session inactivity timeout of 30 minutes. Both pre-defined and custom services can be adjusted in timeout value from 1 minute to 2 days. After waiting the default 30 minutes (or the length of time the administrator adjusted the time interval to), port scans to the unresponsive host will time out and the session entries in the NetScreen device will be cleared for reuse. This problem can occur more quickly on NetScreen devices that have smaller session tables. For example, the NetScreen-5XP has a maximum of 2,048 sessions, and the NetScreen-1000 has a maximum of 500,000 sessions. Obviously, the session table on a NetScreen-5XP will be consumed faster than on a NetScreen-1000. NetScreen released new features that addressed this issue in several manners beginning in September 2001. One feature called Source IP Session Thresholding can be used to mitigate the likelihood of this issue arising in the first place. This feature was introduced as a CLI command in ScreenOS version 2.6.1r2, and has been incorporated into the WebUI starting with ScreenOS version 3.0. The command set firewall session-threshold source-ip-based [num] limits any one source IP from the trusted side to [num] number of concurrent sessions. Since the NetScreen-5XP can support 2,048 concurrent sessions, NetScreen recommends the higher of the following two numbers as a starting point: 100, or 2048/n where "n" is the number of systems on the "Trust" side network. Administrators are advised to check their flow counters to see if that's an acceptable number, and modify accordingly. Next, releases of ScreenOS 3.0.0 and later allow the administrator to forcibly clear sessions based on characteristics of those sessions such as source IP address, destination IP address, source port, destination port, source MAC address, and/or destination MAC address. For example, the command clear session dst-ip <a.b.c.d> will clear all active sessions to destination IP address a.b.c.d from the NetScreen active session table. This command can be used to recover from a wild port scan without waiting for all sessions to age out or without resetting the NetScreen device. Lastly, ScreenOS 3.1.0 and later allow the administrator to enable firewall protections, including port scan protections, on any interface. NetScreen recommends all customers to upgrade to the latest version of ScreenOS supported by their hardware and then to enable one or all of the above features to minimize the likelihood of being affected by this issue. The latest currently available versions of ScreenOS at the time of this writing for each NetScreen device are: Hardware ScreenOS release NetScreen-5 2.6.1r6 NetScreen-5XP 3.0.1r1 NetScreen-10 3.0.1r1 NetScreen-25 3.0.0r1 NetScreen-50 3.0.0r1 NetScreen-100 3.0.1r1 NetScreen-204 3.1.0r1 NetScreen-208 3.1.0r1 NetScreen-500 3.1.0r1 NetScreen-1000 2.8.0r1
