Possible Gauntlet DoS

Jimmy L. Alderson (jlalder@FIWC.NAVY.MIL)
Thu, 24 Jul 1997 10:37:41 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John J. McMahon: "Re: Possible Gauntlet DoS"
Previous message: Thomas Walter: "Re: CPSR 7: IRIX WWW Server"
Next in thread: John J. McMahon: "Re: Possible Gauntlet DoS"

Hello, I recently had a problem while testing some security startegies on
our internal network. The problem in a nutshell was that our Gauntlet
firewall bastion host was bouncing all mail originating from inside the
firewall. (I'm not sure if it bounced all incomming mail or not, I
believe that at a certain point it more than likely did).

What I did to start this problem was I telneted to port 25 of our lan
server and sent mail to a non-existent address from a nonexistent user so
it would look like this if my user name was really "jimmy"

mail from: jim@realdoamin.com
...sender ok
rcpt to: lkdjf09w4olkjfs9
... reciever ok
data
quit using a .
test
.
quit
sending mail now

This caused the server to forward the mail to the bastion host. The
bastion host spooled the mail, realized it couldnt send it out and
bounced it back to the lan server. The lan server said "I dont know no
steeenkin jim, he is not a user on my system, and bounced it back to the
bastion host... and so on and so on and so on. The filesystem on the
bastion host eventually filled up and BOOM no mo mail.

I am not an expert on the Gauntlet firewall so there may be an option to
truncate this, however I beleieve that it sees all new mail as just that
new mail, no matter how many times it has been processed before. If this
is true It would be really easy for someone from inside a network to
accomplish this.

Jimmy Lee Alderson

Next message: John J. McMahon: "Re: Possible Gauntlet DoS"
Previous message: Thomas Walter: "Re: CPSR 7: IRIX WWW Server"
Next in thread: John J. McMahon: "Re: Possible Gauntlet DoS"