Penetration Testing mailing list archives
Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 23 Jan 2001 15:03:11 -0800
On Tue, 23 Jan 2001, Vernon Vernon wrote:
tcp_ip_abort_cinterval = 60,000 tcp_conn_req_max_q0 = 2048/4096/even 300,000 However, it doesn't seem to be effective. We can still DoS the firewall by one machine.
You're probably blowing out the state table of the Sunscreen software, not the IP stack of the OS. Since something with Sunscreen functionality would have to include a kernel loadable module, it could easily take the whole machine with it when it blows. SPF-type software would allocate a new state table entry for each (apparantly) unique new connection. SYN flodding from something that spoofs source addresses is going to cause a lot of trouble. I haven't used Sunscreen before, but I used to have the same issue with older versions of Firewall-1 all the time. There were some tuning parameters that would let me manually allocate enough memory for the state table to grow to accomodate the flood. Ryan
Current thread:
- [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Vernon Vernon (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Ryan Russell (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Steve Hall (Jan 23)