IDS mailing list archives

Re: Sessions Resource Exhaustion

From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Sat, 13 Oct 2007 00:04:58 -0700

On 10/12/07, H D Moore <sflist () digitaloffense net> wrote:

This is called marketing :-) If you want to support DoS attacks consisting
of more 10,000 sessions, you must upgrade to a more expensive box. Even
the very high-end IPS products start hitting session limits after 1-2
million concurrent sessions[1].


i understand :-).  is it not too expensive for small and medium businesses?


Session limits are common across a wide range of routers, firewalls, and
inline security devices. Most devices based on BSD/ipf have a hard limit
in terms of number of sessions. IIRC, the Linux iptables code will dump
old sessions in favor of new (when using NAT), so there is no stoppage,
but connections can get dropped.


These devices tend to be easy to DoS, but in most cases,a single service
behind the device stops accepting connections before the device's own
state table is filled.


If you can fill the state table using just SYN packets (without doing a
full session setup), then the device in question is just crap :-)


i could not exhaust state tables with TCP.  I sent UDP:500 traffic
with different source ports to fill up the state table. It makes me
wonder whether may stateful devices are vulnerable to these kinds of
attacks.


-HD

1. <spam>My company's product (the BPS-1000) tests up to 5,000,000
concurrent application sessions at once. In the lab, we see very few
products that can handle more than 500,000. Our new 10G product
(BPS-10000) can push 7,500,000 concurrent sessions.</spam>

On Thursday 11 October 2007, Ravi Chunduru wrote:

can i say that these devices are vulnerable to simple DoS attacks?




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Sessions Resource Exhaustion Ravi Chunduru (Oct 12)
- Re: Sessions Resource Exhaustion Andrew Hay (Oct 12)
- Re: Sessions Resource Exhaustion H D Moore (Oct 12)
  - Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
    - Re: Sessions Resource Exhaustion Rahul K (Oct 16)
    - Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)
    - Re: Sessions Resource Exhaustion Rahul K (Oct 16)
    - Re: Sessions Resource Exhaustion Control Zed (Oct 18)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 12)
  - Re: Sessions Resource Exhaustion K K (Oct 15)
    - RE: Sessions Resource Exhaustion Nelson Brito (Oct 15)
  - RE: Sessions Resource Exhaustion Ahsan Khan (Oct 15)
    - Re: Sessions Resource Exhaustion Roland Dobbins (Oct 16)
    - RE: Sessions Resource Exhaustion Nelson Brito (Oct 16)

(Thread continues...)