Bugtraq mailing list archives
Re: Simple DOS attack on FW-1
From: Richard.Scott () BESTBUY COM (Scott, Richard)
Date: Fri, 30 Jul 1999 15:19:03 -0500
I've stumbled across a simple Denial of Service attack for FW-1, many of you may already be aware of this. You can effectively shutdown FW-1 by filling its connections table. This is easily done in about 15 minutes with most port scanners. When FW-1's state connections table is full, it can no longer accept any more connections (usually between 25,000-35,000 connections, depending on your system). You can increase this number by increasing kernel memory for the FW-1 module and hacking ../lib/table.def) However, a port scanner can build that many connections in a manner of minutes. [snip] Sure this is the case if you have a rule set that has something like. Let in a packet that is bound to some address range. If I have a rule set that is host based, allowing only a few specific IP address's in the DoS attack is limited? Increasing the size of the connections allowed in the table may only reduce the possibility of the attack. Why not increase the number such that it is greater than what your bandwidth can handle (advocated by firewall people here). r1ccard0 Richard Scott (I.S.) E-Commerce Team * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA This '|' is not a pipe
Current thread:
- Re: Simple DOS attack on FW-1 David Taylor (Jul 29)
- Internet Explorer 5.0 HTML Applications Bryan Batchelder (Jul 30)
- World writable root owned script in SalesBuilder (RedHat 6.0) smaster () SAIL IT (Jul 30)
- Possible Denial Of Service using DNS smaster () SAIL IT (Jul 30)
- Re: Simple DOS attack on FW-1 Jeff Roberson (Jul 30)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Scott, Richard (Jul 30)
- Re: Simple DOS attack on FW-1 Jason R. Rhoads (Jul 30)