COMMAND

    Sonicwall

SYSTEMS AFFECTED

    Sonicwall

PROBLEM

    Leon Rosenstein found following.  In the Sonicwall SoHo there is a
    limitation on the amount of  connections that one can open.   This
    sets up  a denial  of service  scenario if  one can  "surpass" the
    limit.  A denial of  service condition exists if someone  opens up
    more then  2048 connections.   When this  limit is  surpassed  the
    "cache"  will  overflow  and  it  will  begin  to  drop   internal
    connections.  A simple way to re-create this is to run a tcp  port
    scan on  a host  on the  wan.   When you  open up  more then  2048
    connection it will begin to "complain" via the log:

        08/28/2000 10:18:46.368 - The cache is full; over 2048 simultaneous connections; some will be dropped - Source:10.1.1.6, 2119, LAN - Destination:xxx.xx.xx.xxx, WaN –

    At this point all future connections will have a much less  likely
    chance  of  getting  through  as  the  port  scanner saturates all
    remaining available connections.

SOLUTION

    All firewalls except  dumb static packet  filters suffer from  it.
    Firewalls  that   can  set   per-destination  or   per-source   or
    per-interface connection limits may limit the extent of the attack
    but it'll always be possible  to do partial DoS on  state tracking
    (yes, proxies are definately state tracking) firewalls by flooding
    their state table / process number limit / RAM / whatever.

    One big difference between different  firewalls is how hard it  is
    to flood the state  table.  On firewall-1,  you can flood it  real
    bad by sending  in TCP ACK  packets from random  IPs, and there'll
    be no  way to  track you.  On some  others, you'll  have to do the
    full  SYN/SYNACK/ACK  dance  before   you  can  really  hurt   the
    firewall, but that gives away your true source network.