Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Richard Bartlett (richardHACKERIMMUNITY.COM)
Date: Mon Apr 02 2001 - 12:42:11 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Whilst pen testing a BorderManager 3.5 server I came across a problem
which I have now reproduced twice, and I believe to be a
either in Novell's TCP/IP stack or in BorderManager VPN, details
(*) One of the ports open on the outbound interface of the
BorderManager server is 353, which allows for initial handshaking
between VPN Client & Server to exchange the Keys.
(*) I verified the port was open using a port scanner.
(*) I ran the command 'for /l %%h in (1, 1, 300) do nc -d -z [server
ip] 353' (works from Windows NT or 2000).
(*) After running the command the port appears closed and VPN
connections can no longer be made.
(*) On checking the server logs it was found that after ~250
connections are opened, the server runs out of TCP/IP connections,
and all further connection attempts fail with the error message "No
more TCP/IP client connections are available."
(*) Re-loading vpn and re-initialising the system failed to resolve
the problem, and the only way to fix the problem appeared to be to
reboot the server.
(*) No error messages other than those in the VPN log were found, no
console messages warned that the service was unavailable, and there
was no other indication of a fault.
I have checked all information security resources including
Novell.com and BUGTRAQ and I don't believe this is a known issue.
I've also checked for information on how I can prevent this occurring
using documented methods of preventing such an attack ('SET TCP
DEFEND SYN ATTACKS', 'Tcp Connection Establishment timeout', 'Maximum
Pending TCP Connection Requests') but I haven't been able to complete
testing on that yet.
Any help from Novell BM users would be appreciated. (This
vulnerability was sent to securenovell.com under RFPolicy Thu
15/03/01 22:41 and an automatic reply received soon after. No other
response has since been received).
Many thanks in advance for your co-operation,
Hacker Immunity Ltd
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----