[PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall

[Vernon Vernon <vernon_me () HOTMAIL COM>]

Hi All,

Currently my team has performed a SYN-Flood attack at one site as part of
the penetration test that running SunScreen EFS on SunOS 5.6. We perform the
attack using TFN2K and managed to halt the server by using only one attack
machine. (The throughtput is around 300-500k)

Originally, the SunOS kernel parameters tcp_ip_abort_cinterval &
tcp_conn_req_max_q0 should be able to address this issue. We have tested the
following values:

tcp_ip_abort_cinterval = 60,000
tcp_conn_req_max_q0 = 2048/4096/even 300,000

However, it doesn't seem to be effective. We can still DoS the firewall by
one machine. We have discussed with the vendor and the vendor cannot explain
why these not work. They explained that they only know this countermeasure
(at OS level) to defense SYN-Flood for Sun Machine.

Apart from using NIDS or configuring router to provide SYN-Flood
countermeasures (which is quite costly), Is there something wrong for the
above settings or any other things that can be done at OS level to address
this problem?

Thanks a lot,

Vernon

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.