Re: FW-1 DOS attack: PART II

[lsawyer () GCI COM (Leif Sawyer)]

It seems to me that this type of problem would be inherent in
almost any firewall product.  Also, it may be prevalent in any
application which does network address translation (NAT), due
to the problem of state-information timeout.

Cisco's NAT implementation sets a default TTL of 24 hours before
the session entry is cleared from the table. (show ip nat translation)

This can be lowered (shown at 5 minutes) via the commands:
ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 300
ip nat translation icmp-timeout 300

This still begs the question, how far do you tune these in order to protect
yourself against DOS's from portscanners?

> -----Original Message-----
> From: Spitzner, Lance [mailto:lance () SPITZNER NET]
> Sent: Saturday, July 31, 1999 8:32 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: FW-1 DOS attack: PART II
>
>
> On 31 Jul 1999, James E McWilliams wrote:
>
> > Good write up on the page. I have a wild one for you is in
> the INSPECT code do you think this problem can be solved?  I
> am going to start looking at it tonight and see what I can
> get going with it.  One more question I had is and I only
> heard back from one person saying they filled up the
> connections on a LINUX proxy based FW in the same matter with
> NMAP. I was wondering if this would work on other FW's?
>
> Excellent question about the use of Inspect, I do not know.  I
> talked to several hardcore guru's it may be possible.  If you
> come up with anything, let us know!  Meanwhile, I'll be
> taking a stab at it myself :)
>
> As for other FW's I don't know.  You would have to learn how
> their connections table works.
>
> > You might be on to something big...
>
> Bigger then I thought.  I hope this doesn't blow up in my face :)
>
> Lance
> http://www.enteract.com/~lspitz