Re: CERT vulnerability note VU# 539363

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 16 Oct 2002, Paul D. Robertson wrote:

> On Wed, 16 Oct 2002, Mikael Olsson wrote:
>
> > Although this is something that people need to keep in mind when 
> > picking / designing a firewall, I'd argue that anything north of
> > a stateless packet filter is going to be vulnerable to these sort
> > of attacks.  
>
> So will anything south of a firewall- hosts aren't immune to flooding 
> attacks either, with our without state, nor are routers...
>
> > If you keep state, you will be vulnerable to state table overflows. 
>
> I don't know that "overflow" is the right word here, "exhaustion" seems 
> more fitting.
>
> When I first looked at this, I kind of shrugged and said "So what?"  the 
> firewall is doing its job- stopping packets when there's an attack-

Although the second technique mentions the CRC host after the firewall
attack seems to indicate otherwise, as the packets leave the gateway and
hit the host, which then rejects the packets.  It's that method that seems
to be different, and perhaps an issue vendors now need to look into
dealing with.

Thanks,



Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards