Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall

From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 23 Jan 2001 15:03:11 -0800
On Tue, 23 Jan 2001, Vernon Vernon wrote:


tcp_ip_abort_cinterval = 60,000
tcp_conn_req_max_q0 = 2048/4096/even 300,000

However, it doesn't seem to be effective. We can still DoS the firewall by
one machine.


You're probably blowing out the state table of the Sunscreen software, not
the IP stack of the OS.  Since something with Sunscreen functionality
would have to include a kernel loadable module, it could easily take the
whole machine with it when it blows.  SPF-type software would allocate a
new state table entry for each (apparantly) unique new connection.  SYN
flodding from something that spoofs source addresses is going to cause a
lot of trouble.

I haven't used Sunscreen before, but I used to have the same issue with
older versions of Firewall-1 all the time.  There were some tuning
parameters that would let me manually allocate enough memory for the state
table to grow to accomodate the flood.

                                        Ryan
Previous By Date Next
Previous By Thread Next

Current thread: