Results 1 to 3 of 3

Thread: DoS Theory - VPN

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    137

    DoS Theory - VPN

    Hey all,

    This is totally in theory and not sure if it is possible. Or it may have already been tested but I cannot find an answer.

    Background: I was doing some remote pen testing on my companies network and decided to not go the stealth route during nmap scans. During the scanning my firewall (WatchGuard x700) noticed the heavy scan traffic and banned my remote IP from all access and traffic.

    Topology: I have about 3 VPN tunnels going to different locations.

    Question: If I were to use the Nmap decoy function and scan the main office WatchGuard x700 with the decoy addresses of some of the remote office VPN end points, would this cause the VPN tunnels to be dropped? Would it allow the scan since the WatchGuard knows that its a legitimate VPN tunnel and ignore the traffic?

    In other words, If I scanned the WatchGuard with a spoofed IP address of one of my remote VPN offices, would it drop any traffic like it did when I did my namp scans from home thinking it was malicious traffic? And would that cause the tunnel to drop?

    The reason I an asking is to see in theory if that would cause a DoS since remote users would be severed from the main office?

    I will probably try this out when I get a chance, the lockout time is 30 minutes so it insnt long term and I can unblock if I need too. Just wondering if the WatchGuard or any firewall would do..

    Thanks!! Looking forward to your thoughts :-)
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    According to WG If you've got it set up correctly, the WG should detect the spoofed packets and drop them

    http://www.watchguard.com/help/lss/7...g/blockin3.htm
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    137
    zigar, thanks for the link, good info.

    I dont have access to my WatchGuard right now to verify but the wording on that sounds like "if you enable it" almost as if its not on by default. If it is on it sounds like it may prevent the attack.

    Although I wonder if in theory my original statement would work if IP spoofing protection was turned off.

    My hangup is:
    Firewall IPS say = BLOCK THAT SCAN AND SITE!
    VPN policy says = create trusted network connection between sites

    Not sure if one would override the other is malicious activity was spotted.
    \"Common Sense, isn\'t that common\"
    \"It is a lot easier to raise a child then it is to repair an adult\"
    -Kruptos

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •