Re: CERT vulnerability note VU# 539363

["Philip J. Koenig" <pjklist () ekahuna com>]

> Date: Wed, 16 Oct 2002 15:53:37 +0200
> From: Daniel Hartmeier <daniel () benzedrine cx>
>
> On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote:
>
> > In my opinion if a stateful firewall claims it can filter at rate X
> > (64byte packets, etc...), it should be able to filter at that rate under
> > all conditions.
>
> Obviously, for any X, when each packet is part of a TCP handshake, the X/2
> (or /3, depending on how you count) newly established connections per
> second will exhaust memory on the firewall after a certain amount of time.
>
> I don't think you meant 'be able to filter at that rate' to include
> 'dropping legitimate connections when running out of memory', did you?
>
> > I'd like to learn some of the other methods being used for mitigation
> > amongst vendors.
>
> Yes, that's what I'd find most intersting to read in vendor statements
> myself. :)
>
> Daniel


In addition to a syn-flood prevention thingy which at a user-
configurable threshold will start dropping X percent of new SYN 
connections, Netscreen has a feature where you can limit the number 
of sessions a particular IP address can generate, ie:

    set firewall session-threshold source-ip-based 1000


This would seem to be helpful for various things (ie code-red 
infected internal hosts), unless you're getting a random IP-address-
spoofed incoming DoS.

--
Philip J. Koenig                                       
pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New 
Millenium


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards