Penetration Testing mailing list archives
[PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall
From: Vernon Vernon <vernon_me () HOTMAIL COM>
Date: Tue, 23 Jan 2001 08:10:45 -0000
Hi All, Currently my team has performed a SYN-Flood attack at one site as part of the penetration test that running SunScreen EFS on SunOS 5.6. We perform the attack using TFN2K and managed to halt the server by using only one attack machine. (The throughtput is around 300-500k) Originally, the SunOS kernel parameters tcp_ip_abort_cinterval & tcp_conn_req_max_q0 should be able to address this issue. We have tested the following values: tcp_ip_abort_cinterval = 60,000 tcp_conn_req_max_q0 = 2048/4096/even 300,000 However, it doesn't seem to be effective. We can still DoS the firewall by one machine. We have discussed with the vendor and the vendor cannot explain why these not work. They explained that they only know this countermeasure (at OS level) to defense SYN-Flood for Sun Machine. Apart from using NIDS or configuring router to provide SYN-Flood countermeasures (which is quite costly), Is there something wrong for the above settings or any other things that can be done at OS level to address this problem? Thanks a lot, Vernon _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Vernon Vernon (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Ryan Russell (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Steve Hall (Jan 23)