[11217] in bugtraq
Re: Simple DOS attack on FW-1
daemon@ATHENA.MIT.EDU (Jason R. Rhoads)
Sun Aug 1 02:45:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37A255D0.D0DD0400@sabernet.net>
Date: Fri, 30 Jul 1999 18:48:00 -0700
Reply-To: "Jason R. Rhoads" <jason.rhoads@SABERNET.NET>
From: "Jason R. Rhoads" <jason.rhoads@SABERNET.NET>
X-To: fw-1-mailinglist@lists.us.checkpoint.com,
bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table. When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses. The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.
Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:
#!/bin/sh
# FW-1 Start
if [ -f /etc/fw/bin/fwstart ]; then
FWDIR=/etc/fw
export FWDIR
/etc/fw/bin/fwstart
/etc/fw/bin/fwconwatch.pl&
fi
# FW-1 END
fwconwatch can be found here: http://www.sabernet.net/software/
Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html
Regards,
Jason
