IDS mailing list archives

Re: Sessions Resource Exhaustion

From: "Rahul K" <rahulmk () gmail com>
Date: Tue, 16 Oct 2007 16:24:03 +0530

Guess I was not being clear. I was not being specific to VPN ports 500
or 1701 or associated ports. I was just trying to point out why you
were able to fill up the state table with just UDP packets with
different source ports but having the same SIP-DIP:DP.

If the VPN server would handle only N clients at a time, then the IPS
really shouldn't be seeing more than 'N' UDP sessions. If the server
won't process it, then the IPS shouldn't be doing it either. How is
another matter! ;-)

Rahul

On 10/16/07, Ravi Chunduru <ravi.is.chunduru () gmail com> wrote:

Rahul,

Is it not common to have IPsec VPN Server in typical network deployments?

Regards
Ravi

On 10/15/07, Rahul K <rahulmk () gmail com> wrote:

On 10/13/07, Ravi Chunduru <ravi.is.chunduru () gmail com> wrote:

On 10/12/07, H D Moore <sflist () digitaloffense net> wrote:

If you can fill the state table using just SYN packets (without doing a
full session setup), then the device in question is just crap :-)


i could not exhaust state tables with TCP.  I sent UDP:500 traffic
with different source ports to fill up the state table. It makes me
wonder whether may stateful devices are vulnerable to these kinds of
attacks.


UDP may be stateless, but the moment an IPS receives an UDP packet
with some content it would have to initialize and maintain a session
for that packet because the signature matching and other checks have
to kick in. So it is not surprising that you could fill up the state
table with UDP:500 traffic. It is easier to spoof UDP packets than
complete the 3-way TCP handshake, so you may have been able to fill up
the table faster too.

However in your deployment scenario, would you really be allowing
incoming UDP traffic or would your firewall be dropping them before it
is seen by the IPS?

Rahul


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Sessions Resource Exhaustion Ravi Chunduru (Oct 12)
- Re: Sessions Resource Exhaustion Andrew Hay (Oct 12)
- Re: Sessions Resource Exhaustion H D Moore (Oct 12)
  - Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
    - Re: Sessions Resource Exhaustion Rahul K (Oct 16)
    - Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)
    - Re: Sessions Resource Exhaustion Rahul K (Oct 16)
    - Re: Sessions Resource Exhaustion Control Zed (Oct 18)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 12)
  - Re: Sessions Resource Exhaustion K K (Oct 15)
    - RE: Sessions Resource Exhaustion Nelson Brito (Oct 15)
  - RE: Sessions Resource Exhaustion Ahsan Khan (Oct 15)
    - Re: Sessions Resource Exhaustion Roland Dobbins (Oct 16)
    - RE: Sessions Resource Exhaustion Nelson Brito (Oct 16)
- Re: Sessions Resource Exhaustion jean-philippe luiggi (Oct 15)
- RE: Sessions Resource Exhaustion Srinivasa Addepalli (Oct 15)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)