[11208] in bugtraq
Re: Simple DOS attack on FW-1
daemon@ATHENA.MIT.EDU (Scott, Richard)
Sat Jul 31 20:54:11 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <F74E89C7EA1DD31186E900805FA79930A570E0@cs02mail.bestbuy.com>
Date: Fri, 30 Jul 1999 15:19:03 -0500
Reply-To: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
From: "Scott, Richard" <Richard.Scott@BESTBUY.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I've stumbled across a simple Denial of Service attack for
FW-1, many of you may already be aware of this. You can
effectively shutdown FW-1 by filling its connections table.
This is easily done in about 15 minutes with most port
scanners.
When FW-1's state connections table is full, it can no longer
accept any more connections (usually between 25,000-35,000
connections, depending on your system). You can increase this
number by increasing kernel memory for the FW-1 module and
hacking ../lib/table.def) However, a port scanner can build
that many connections in a manner of minutes.
[snip]
Sure this is the case if you have a rule set that has something like. Let
in a packet that is bound to some address range.
If I have a rule set that is host based, allowing only a few specific IP
address's in the DoS attack is limited?
Increasing the size of the connections allowed in the table may only reduce
the possibility of the attack. Why not increase the number such that it is
greater than what your bandwidth can handle (advocated by firewall people
here).
r1ccard0
Richard Scott
(I.S.) E-Commerce Team
* Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
This '|' is not a pipe
