Firewall Wizards mailing list archives
RE: CERT vulnerability note VU# 539363
From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 16 Oct 2002 15:59:42 +0200
Interesting that CERT found time to publish this kind of advisory... Interesting that for other, more damaging, vulnerabilities they don't have time or either drag it forever sending information to only a handful of selected vendors while not informing other. But this is me ranting about stuff... The issue discussed in their advisory is a well known fact for years. What's next?... Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stephen Gill Sent: Wednesday, October 16, 2002 3:20 PM To: 'Mikael Olsson' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] CERT vulnerability note VU# 539363 In my opinion if a stateful firewall claims it can filter at rate X (64byte packets, etc...), it should be able to filter at that rate under all conditions. Clearly a 100MB firewall that can be overloaded with 1MB of traffic is not good. I'd argue that if a 100MB firewall can be overloaded with 34MB of traffic, it's also not a good thing. But then again, even 100MB of filtering won't save you in a 100MB DoS which is not all that uncommon. I'd like to learn some of the other methods being used for mitigation amongst vendors. -- steve -----Original Message----- From: Mikael Olsson [mailto:mikael.olsson () clavister com] Sent: Wednesday, October 16, 2002 7:44 AM To: Stephen Gill Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363 Stephen Gill wrote:
Thought I'd pass this along. http://www.kb.cert.org/vuls/id/539363
Although this is something that people need to keep in mind when picking / designing a firewall, I'd argue that anything north of a stateless packet filter is going to be vulnerable to these sort of attacks. If you keep state, you will be vulnerable to state table overflows. Period. The only real question is: how much work does the attacker need to put in before it becomes painful for the networks that the firewall is protecting? Is being able to resist a 1 Mbps stream (~4500 pps) "Not vulnerable"? Is being able resist a 34 Mbps stream (~150 kpps) "Not vulnerable"? Or should every single firewall vendor report in and say "Vulnerable", and describe what the limit is? And, yes, ALG-only firewalls can also be overloaded. It's just a different type of 'state'. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Mikael Olsson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Daniel Hartmeier (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- RE: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- RE: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Mikael Olsson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Ofir Arkin (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 R. DuFresne (Oct 16)
- Re: CERT vulnerability note VU# 539363 Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)