Support Center > Search Results > SecureKnowledge Details
Check Point response to Sockstress TCP DoS attacks (CVE-2008-4609) Technical Level
  • On September 08, 2009 CERT-FI has published an advisory about an attack tool called Sockstress which exploits design flaws in the TCP protocol. A successful Sockstress attack may cause damage ranging from denying TCP connectivity to the target to an exhaustion of kernel memory that may lead to a system panic.
    The actual effect depends on the amount of RAM on the target machine and implementation details of the TCP/IP stack. Many TCP/IP implementations are vulnerable.


    Vulnerability exposure:
    • Not vulnerable products: IPS-1, UTM-1 Edge, IPSO-LX

    • Vulnerable products: VPN-1 Power/UTM, VPN-1 Pro/Express, Connectra, VPN-1 Power VSX

    • Any TCP service that is accessible from any IP on the Internet may be attacked.

This problem has been fixed. The fix is included in the following releases:

  • Check Point NGX R65 HFA_60
  • Check Point R70.20

Check Point recommends to always upgrade to a recent version, and to the most recent HFA (Hotfix Accumulator) of this version.

To get the latest HFA for your product, version, and operating system, go to

If you choose not to install the above HFAs, Check Point released a comprehensive solution that mitigates the attack against any Check Point Security Gateways and protects resources behind the gateway.

HotFixes protecting Check Point gateways:

  • VPN-1 Power/UTM and VPN-1 Pro/Express: R70.1, R65 HFA_50, R62 HFA_01, R60 HF_A07

  • Connectra: R66.1, R62 HFA01, R62CM HFA01

  • VPN-1 Power VSX NGX R65

IPS protections from Sockstress for servers behind Check Point gateway:

To protect the Security Gateway, install the following hotfixes:

Customer of other versions should contact Check Point Technical Services to receive a HotFix. To contact Support either call one of the Worldwide Technical Assistance Centers at:

Americas: +1 (972) 444 6600 / +1 (888) 361 5030 / +1 (613) 271 7950 or International: +972-3-6115100 (see the full list of contact phone numbers), or submit a Service Request through

HotFix Installation instructions:

  1. The security hotfix must be installed on top of the specified HFA only. Make sure you installed the required HFA before installing this security hotfix.

  2. Download the correct tgz archive.

  3. Extract by running the tar xzvf <tgz archive name> command from the Expert mode.

  4. Run the executable with name starting with fw1.

  5. Follow the instructions on screen.

  6. After the installation ends successfully - reboot the machine.

Configuration options:

  • Protection is enabled by default.

  • To disable protection add the line fw_tcp_durability_enable=0 to the $FWDIR/boot/modules/fwkern.conf file and reboot the gateway.

  • To re-enable protection add the line fw_tcp_durability_enable=1 to the $FWDIR/boot/modules/fwkern.conf file and reboot the gateway.

Note: create the $FWDIR/boot/modules/fwkern.conf file if it does not exist.


  • To uninstall an HFA from a Security Gateway that also has the Sockstress hotfix, you must first uninstall the Sockstress hotfix and only then uninstall the HFA.

  • Before uninstalling the HFA, remove the associated configuration parameters from $FWDIR/boot/modules/fwkern.conf. Failing to remove these parameters will cause the Gateway not to start after a reboot.

  • If accept logs are configured, SmartView Tracker may continuously produce accept logs associated with the blocked source after a Sockstress block alert is issued. The associated traffic will be blocked by the Sockstress protection and the accept logs can be safely ignored.


Q. Do I need to protect SmartCenter or Integrity Server from Sockstress?
A. If there are ports on these machines accessible by any client on the internet, customers should activate the IPS protection (on either the IPS-1 or Security gateway) to protect the server.

Q. Why is IPS-1 not vulnerable to Socktress?
A. IPS-1 is not vulnerable because its TCP port are accessible from internal interfaces only.

Q. Why is UTM-1 Edge not vulnerable to Socktress?
A. UTM-1 Edge is not vulnerable because it does not expose TCP ports via external interface.

Q. My gateway runs on Windows/Solaris should I install the vendor patch?
A. Yes. Customers are advised to install vendor patches in addition to the Check Point HotFix for their Security Gateway.

Q. What is the difference between protections provided by the IPS and the gateways?
A. IPS protection mitigates attack against servers behind the gateway. The gateway protection mitigates an attack against the gateway itself, i.e. TCP ports on the gateway and Security Servers.

Q. What should R70 customer do?
A. R70 customers should upgrade to R70.1 and install the current HotFix.

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 00509491, 00509553, 00509578, 00509579, 00509597, 00509740, 00509622, 00509637, 00509663, 00509793

Give us Feedback
Please rate this document