Re: Sonicwall DoS

[Mikael Olsson <mikael.olsson () ENTERNET SE>]

Leon Rosenstein wrote:
> 08/28/2000 10:18:46.368 -     The cache is full; over 2048 simultaneous connections; some
> will be dropped -     Source:10.1.1.6, 2119, LAN - Destination:xxx.xx.xx.xxx, WaN –
>
> At this point all future connections will have a much less likely chance of getting through
> as the port scanner saturates all remaining available connections.

What you've stumbled on is indeed true, and it is a problem. However, it
is far from new. All firewalls except dumb static packet filters suffer
from it. Boo-hoo. :(

Firewalls that can set per-destination or per-source or per-interface connection
limits (I don't know of any that do, however. Duh.) may limit the extent of
the attack, but it'll always be possible to do partial DoS on state tracking
(yes, proxies are definately state tracking) firewalls by flooding their state
table / process number limit / RAM / whatever.

One big difference between different firewalls is how hard it is to
flood the state table. On firewall-1, you can flood it real bad by
sending in TCP ACK packets from random IPs, and there'll be no
way to track you. On some others, you'll have to do the full
SYN/SYNACK/ACK dance before you can really hurt the firewall,
but that gives away your true source network. I don't know
which case applies to sonicwall however.


Hope this serves to shed some light on these issues.

Regards,
Mikael Olsson, EnterNet Sweden


--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-29 92 00         Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se