Re: Simple DOS attack on FW-1

[david () FUNDY CA (David Maxwell)]

On Wed, Aug 04, 1999 at 11:56:24AM +0200, Rogier Wolff wrote:
> Lance Spitzner wrote:
> > > Also, if they implemented a circular buffer where connections that had
> > > been idle the longest were disconnected in favor of new connections their
> > > scalability might increase some.
> >
> > Excellent recommendation, I'll pass it along to Check Point!
>
> That means I can still DOS a site: If I send 500 packets a second, I
> can wrap the connection table in 100 seconds. That means that the
> idle-timer is reduced from an hour to less than two minutes.
>
> The only solution is to only allow the longer timeout once BOTH sides
> have sent a packet.

I read the original sentance as "Circular buffer for half-open connections".
I believe people are misreading the 'idle the longest' portion thinking it
was meant to apply to fully open connections.

It's not perfect of course, if an abuser can spin the buffer in less than
the round trip time for a valid user to open a connection, no new connections
can ever be made. (But under that type of flood I can't think of a setup
that will perform any better either, aside from detect the flood source, and
discard from specific IPs. That can be defeated by using a range of addresses
anyway.)

--
David Maxwell, david () vex net|david () maxwell net -->
(About an Amiga rendering landscapes) It's not thinking, it's being artistic!
                                              - Jamie Woods