Bugtraq mailing list archives

Re: Simple DOS attack on FW-1

From: R.E.Wolff () BITWIZARD NL (Rogier Wolff)
Date: Wed, 4 Aug 1999 11:56:24 +0200


Lance Spitzner wrote:

Also, if they implemented a circular buffer where connections that had
been idle the longest were disconnected in favor of new connections their
scalability might increase some.


Excellent recommendation, I'll pass it along to Check Point!


That means I can still DOS a site: If I send 500 packets a second, I
can wrap the connection table in 100 seconds. That means that the
idle-timer is reduced from an hour to less than two minutes.

The only solution is to only allow the longer timeout once BOTH sides
have sent a packet.

                        Roger.

--
** R.E.Wolff () BitWizard nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

Current thread:

Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
  - Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
  - Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
    - Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)