IDS mailing list archives
Re: Sessions Resource Exhaustion
From: "Rahul K" <rahulmk () gmail com>
Date: Tue, 16 Oct 2007 16:24:03 +0530
Guess I was not being clear. I was not being specific to VPN ports 500 or 1701 or associated ports. I was just trying to point out why you were able to fill up the state table with just UDP packets with different source ports but having the same SIP-DIP:DP. If the VPN server would handle only N clients at a time, then the IPS really shouldn't be seeing more than 'N' UDP sessions. If the server won't process it, then the IPS shouldn't be doing it either. How is another matter! ;-) Rahul On 10/16/07, Ravi Chunduru <ravi.is.chunduru () gmail com> wrote:
Rahul, Is it not common to have IPsec VPN Server in typical network deployments? Regards Ravi On 10/15/07, Rahul K <rahulmk () gmail com> wrote:On 10/13/07, Ravi Chunduru <ravi.is.chunduru () gmail com> wrote:On 10/12/07, H D Moore <sflist () digitaloffense net> wrote:If you can fill the state table using just SYN packets (without doing a full session setup), then the device in question is just crap :-)i could not exhaust state tables with TCP. I sent UDP:500 traffic with different source ports to fill up the state table. It makes me wonder whether may stateful devices are vulnerable to these kinds of attacks.UDP may be stateless, but the moment an IPS receives an UDP packet with some content it would have to initialize and maintain a session for that packet because the signature matching and other checks have to kick in. So it is not surprising that you could fill up the state table with UDP:500 traffic. It is easier to spoof UDP packets than complete the 3-way TCP handshake, so you may have been able to fill up the table faster too. However in your deployment scenario, would you really be allowing incoming UDP traffic or would your firewall be dropping them before it is seen by the IPS? Rahul
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Sessions Resource Exhaustion Ravi Chunduru (Oct 12)
- Re: Sessions Resource Exhaustion Andrew Hay (Oct 12)
- Re: Sessions Resource Exhaustion H D Moore (Oct 12)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
- Re: Sessions Resource Exhaustion Rahul K (Oct 16)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)
- Re: Sessions Resource Exhaustion Rahul K (Oct 16)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
- Re: Sessions Resource Exhaustion Control Zed (Oct 18)
- Re: Sessions Resource Exhaustion K K (Oct 15)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 15)
- RE: Sessions Resource Exhaustion Ahsan Khan (Oct 15)
- Re: Sessions Resource Exhaustion Roland Dobbins (Oct 16)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 16)