DoS Theory - VPN
This is totally in theory and not sure if it is possible. Or it may have already been tested but I cannot find an answer.
Background: I was doing some remote pen testing on my companies network and decided to not go the stealth route during nmap scans. During the scanning my firewall (WatchGuard x700) noticed the heavy scan traffic and banned my remote IP from all access and traffic.
Topology: I have about 3 VPN tunnels going to different locations.
Question: If I were to use the Nmap decoy function and scan the main office WatchGuard x700 with the decoy addresses of some of the remote office VPN end points, would this cause the VPN tunnels to be dropped? Would it allow the scan since the WatchGuard knows that its a legitimate VPN tunnel and ignore the traffic?
In other words, If I scanned the WatchGuard with a spoofed IP address of one of my remote VPN offices, would it drop any traffic like it did when I did my namp scans from home thinking it was malicious traffic? And would that cause the tunnel to drop?
The reason I an asking is to see in theory if that would cause a DoS since remote users would be severed from the main office?
I will probably try this out when I get a chance, the lockout time is 30 minutes so it insnt long term and I can unblock if I need too. Just wondering if the WatchGuard or any firewall would do..
Thanks!! Looking forward to your thoughts :-)
According to WG If you've got it set up correctly, the WG should detect the spoofed packets and drop them
zigar, thanks for the link, good info.
I dont have access to my WatchGuard right now to verify but the wording on that sounds like "if you enable it" almost as if its not on by default. If it is on it sounds like it may prevent the attack.
Although I wonder if in theory my original statement would work if IP spoofing protection was turned off.
My hangup is:
Firewall IPS say = BLOCK THAT SCAN AND SITE!
VPN policy says = create trusted network connection between sites
Not sure if one would override the other is malicious activity was spotted.