Re: Sessions Resource Exhaustion

["Rahul K" <rahulmk () gmail com>]

On 10/13/07, Ravi Chunduru <ravi.is.chunduru () gmail com> wrote:
> On 10/12/07, H D Moore <sflist () digitaloffense net> wrote:
> > If you can fill the state table using just SYN packets (without doing a
> > full session setup), then the device in question is just crap :-)
>
> i could not exhaust state tables with TCP.  I sent UDP:500 traffic
> with different source ports to fill up the state table. It makes me
> wonder whether may stateful devices are vulnerable to these kinds of
> attacks.

UDP may be stateless, but the moment an IPS receives an UDP packet
with some content it would have to initialize and maintain a session
for that packet because the signature matching and other checks have
to kick in. So it is not surprising that you could fill up the state
table with UDP:500 traffic. It is easier to spoof UDP packets than
complete the 3-way TCP handshake, so you may have been able to fill up
the table faster too.

However in your deployment scenario, would you really be allowing
incoming UDP traffic or would your firewall be dropping them before it
is seen by the IPS?

Rahul

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------