Vulnerability Development mailing list archives
Re: Sonicwall DoS
From: Mikael Olsson <mikael.olsson () ENTERNET SE>
Date: Mon, 28 Aug 2000 23:02:16 +0200
Leon Rosenstein wrote:
08/28/2000 10:18:46.368 - The cache is full; over 2048 simultaneous connections; some will be dropped - Source:10.1.1.6, 2119, LAN - Destination:xxx.xx.xx.xxx, WaN At this point all future connections will have a much less likely chance of getting through as the port scanner saturates all remaining available connections.
What you've stumbled on is indeed true, and it is a problem. However, it is far from new. All firewalls except dumb static packet filters suffer from it. Boo-hoo. :( Firewalls that can set per-destination or per-source or per-interface connection limits (I don't know of any that do, however. Duh.) may limit the extent of the attack, but it'll always be possible to do partial DoS on state tracking (yes, proxies are definately state tracking) firewalls by flooding their state table / process number limit / RAM / whatever. One big difference between different firewalls is how hard it is to flood the state table. On firewall-1, you can flood it real bad by sending in TCP ACK packets from random IPs, and there'll be no way to track you. On some others, you'll have to do the full SYN/SYNACK/ACK dance before you can really hurt the firewall, but that gives away your true source network. I don't know which case applies to sonicwall however. Hope this serves to shed some light on these issues. Regards, Mikael Olsson, EnterNet Sweden -- Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-66 77 636 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Sonicwall DoS Leon Rosenstein (Aug 28)
- Re: Sonicwall DoS Mikael Olsson (Aug 28)