Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewal

["Carter, Adam" <adam () JAFTAN COM AU>]

> Currently my team has performed a SYN-Flood attack at one
> site as part of
> the penetration test that running SunScreen EFS on SunOS 5.6.
> We perform the
> attack using TFN2K and managed to halt the server by using
> only one attack
> machine. (The throughtput is around 300-500k)
<snip>
> Apart from using NIDS or configuring router to provide SYN-Flood
> countermeasures (which is quite costly), Is there something
> wrong for the
> above settings or any other things that can be done at OS
> level to address this problem?

Perhaps I am misunderstanding the attack, but SYN flooding against the
firewall will only work if you are allowing connections to the firewall. If
you are not running VPN or smtp gateways or whatever on the firewall, then
you should deny inbound connection attempts from all hosts except the
management host(s).

IIRC SunScreen is just Checkpoint, so take a look at the implied rules, and
manipulate them via the policy properties page.

If you do need to offer services from the firewall, try using the
SYN-Defender (again in policy properties) and let us know how well it works
;-)

Adam