Vulnerability Development mailing list archives

RE: Firewall-1 and ISA D.o.S.

From: "Jim Harrison (SPG)" <jmharr () microsoft com>
Date: Mon, 18 Feb 2002 08:53:50 -0800

Interesting DoS (similar in concept to the UDP flood that thor () hammerofgod com reported a few months ago), but how 
would you have the developers deal with it?
Every packet that is seen by any firewall takes some CPU time to examine and decide what to do with it.
Granted, under normal circumstances, this processing overhead is "assumed" and the performance specs for the device 
take that into account.
<rant>
Under situations where there is some jerk in the LAN that has decided to dump his job and leaves such a bomb lying in 
wait (really stupid to do it while he's still there), it's easily blocked at the network level so that the firewall 
doesn't have to deal with it.  Tracking down this sort of game is comparatively simple and I'd personally take great 
pleasure in defenestrating that particular jackass.
</rant>

* Jim Harrison 
MCP(NT4, 2K), A+, Network+
Services Platform Group

Never be afraid to try something new. Remember that amateurs built the Ark. Professionals built the Titanic.



-----Original Message-----
From: overclocking_a_la_abuela () hotmail com [mailto:overclocking_a_la_abuela () hotmail com] 
Sent: Monday, February 18, 2002 04:43
To: vuln-dev () securityfocus com
Subject: Re: Firewall-1 and ISA D.o.S.



In-Reply-To: <3.0.5.32.20020218085949.012f4100@192.228.128.13>

When you stop the attack, the firewall recovers, but 

think that in the case of ISA D.o.S. I´m sending 

spoofed packets so it will be more difficult to find the 

attacker ( if you have not IDS or similar  ).

Suppose the length of the D.o.S. is 1 hour... nobody 

can surf the web, you can not access the ISA..., 

probably no VPN,... 



Think about it.



Hugo Vázquez Caramés

Security Consultant

Received: (qmail 19118 invoked from network); 18


Feb 2002 06:09:16 -0000

Received: from outgoing3.securityfocus.com


(HELO outgoing.securityfocus.com) (66.38.151.27)

 by mail.securityfocus.com with SMTP; 18 Feb


2002 06:09:16 -0000

Received: from lists.securityfocus.com


(lists.securityfocus.com [66.38.151.19])

      by outgoing.securityfocus.com (Postfix)


with QMQP

      id 1EBEAA44EF; Sun, 17 Feb 2002


21:25:10 -0700 (MST)

Mailing-List: contact vuln-dev-


help () securityfocus com; run by ezmlm

Precedence: bulk

List-Id: <vuln-dev.list-id.securityfocus.com>

List-Post: <mailto:vuln-dev () securityfocus com>

List-Help: <mailto:vuln-dev-


help () securityfocus com>

List-Unsubscribe: <mailto:vuln-dev-


unsubscribe () securityfocus com>

List-Subscribe: <mailto:vuln-dev-


subscribe () securityfocus com>

Delivered-To: mailing list vuln-


dev () securityfocus com

Delivered-To: moderator for vuln-


dev () securityfocus com

Received: (qmail 24253 invoked from network); 18


Feb 2002 00:53:21 -0000

Message-Id: <3.0.5.32.20020218085949.012f410

Current thread:

Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 17)
- RE: Firewall-1 and ISA D.o.S. Dom De Vitto (Feb 17)
- Re: Firewall-1 and ISA D.o.S. Lincoln Yeoh (Feb 17)
- <Possible follow-ups>
- Re: Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 18)
  - RE: Firewall-1 and ISA D.o.S. Dom De Vitto (Feb 18)
- Re: Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 18)
  - Re: Firewall-1 and ISA D.o.S. Lincoln Yeoh (Feb 18)
- RE: Firewall-1 and ISA D.o.S. Jim Harrison (SPG) (Feb 18)