Re: Sessions Resource Exhaustion

[H D Moore <sflist () digitaloffense net>]

This is called marketing :-) If you want to support DoS attacks consisting 
of more 10,000 sessions, you must upgrade to a more expensive box. Even 
the very high-end IPS products start hitting session limits after 1-2 
million concurrent sessions[1].

Session limits are common across a wide range of routers, firewalls, and 
inline security devices. Most devices based on BSD/ipf have a hard limit 
in terms of number of sessions. IIRC, the Linux iptables code will dump 
old sessions in favor of new (when using NAT), so there is no stoppage, 
but connections can get dropped.

These devices tend to be easy to DoS, but in most cases,a single service 
behind the device stops accepting connections before the device's own 
state table is filled.  

If you can fill the state table using just SYN packets (without doing a 
full session setup), then the device in question is just crap :-)

-HD

1. <spam>My company's product (the BPS-1000) tests up to 5,000,000 
concurrent application sessions at once. In the lab, we see very few 
products that can handle more than 500,000. Our new 10G product 
(BPS-10000) can push 7,500,000 concurrent sessions.</spam>

On Thursday 11 October 2007, Ravi Chunduru wrote:
> can i say that these devices are vulnerable to simple DoS attacks?



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------