[11264] in bugtraq
Re: Simple DOS attack on FW-1
daemon@ATHENA.MIT.EDU (Victoria E. Lease)
Thu Aug 5 08:42:32 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990803085130.A7153@pixymisa.iwu.edu>
Date: Tue, 3 Aug 1999 08:51:30 -0500
Reply-To: "Victoria E. Lease" <lease@31337.COM>
From: "Victoria E. Lease" <lease@31337.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.02.9908010042210.9131-100000@dimension.net>; from
Lance Spitzner on Sun, Aug 01, 1999 at 12:46:08AM -0400
[Lance Spitzner]
> On Fri, 30 Jul 1999, Jeff Roberson wrote:
> > Also, if they implemented a circular buffer where connections that had
> > been idle the longest were disconnected in favor of new connections their
> > scalability might increase some.
>
> Excellent recommendation, I'll pass it along to Check Point!
Neat idea. Am I the only person who sees the potential for even further abuse
if this 'feature' is added?
Wouldn't this allow DoS attackers to not only keep new connections from
being established, but also to forcefully close already-established valid
connections? Or am I missing something?
I think it might work, though, if non-established, ie only two of three
handshakes completed, connections were kept in a circular buffer. That way,
the worst abuse that could happen would be for DoS'ers to incur a *chance*
of established connections failing, and they wouldn't be able to affect
already-established connections. They'd have to keep hammering at the
unestablished-connection buffer, and very quickly, too, in order to keep
valid connections from making it through.
Perhaps this is what was intended by the suggestion in the first place?
