Bugtraq mailing list archives
Re: FW-1 DOS attack: PART II
From: lsawyer () GCI COM (Leif Sawyer)
Date: Tue, 3 Aug 1999 04:35:44 -0800
It seems to me that this type of problem would be inherent in almost any firewall product. Also, it may be prevalent in any application which does network address translation (NAT), due to the problem of state-information timeout. Cisco's NAT implementation sets a default TTL of 24 hours before the session entry is cleared from the table. (show ip nat translation) This can be lowered (shown at 5 minutes) via the commands: ip nat translation timeout 300 ip nat translation tcp-timeout 300 ip nat translation udp-timeout 300 ip nat translation icmp-timeout 300 This still begs the question, how far do you tune these in order to protect yourself against DOS's from portscanners?
-----Original Message----- From: Spitzner, Lance [mailto:lance () SPITZNER NET] Sent: Saturday, July 31, 1999 8:32 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: FW-1 DOS attack: PART II On 31 Jul 1999, James E McWilliams wrote:Good write up on the page. I have a wild one for you is inthe INSPECT code do you think this problem can be solved? I am going to start looking at it tonight and see what I can get going with it. One more question I had is and I only heard back from one person saying they filled up the connections on a LINUX proxy based FW in the same matter with NMAP. I was wondering if this would work on other FW's? Excellent question about the use of Inspect, I do not know. I talked to several hardcore guru's it may be possible. If you come up with anything, let us know! Meanwhile, I'll be taking a stab at it myself :) As for other FW's I don't know. You would have to learn how their connections table works.You might be on to something big...Bigger then I thought. I hope this doesn't blow up in my face :) Lance http://www.enteract.com/~lspitz
Current thread:
- Re: FW-1 DOS attack: PART II, (continued)
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Steve Birnbaum (Aug 03)
- IE5 ActiveX security bug Sami Kuhmonen (Aug 01)
- Re: IE5 ActiveX security bug Adam H. Pendleton (Aug 03)
- Re: IE5 ActiveX security bug Hakeem Shittu (Aug 03)
- Fwd: [SECURITY] New version of samba released Chris Ruvolo (Aug 01)
- midnight commander vulnerability(?) (fwd) coda (Aug 01)
- Re: FW-1 DOS attack: PART II Spitzner, Lance (Aug 01)
- Re: FW-1 DOS attack: PART II Sean Boyle (Aug 02)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 03)
- Re: FW-1 DOS attack: PART II Leif Sawyer (Aug 03)
- Re: FW-1 DOS attack: PART II Darren Reed (Aug 05)
- Re: FW-1 DOS attack: PART II Ramon Krikken (Aug 01)