RE: Firewall-1 and ISA D.o.S.

["Dom De Vitto" <Dom () DeVitto com>]

 |Hi Dom,
 |
 |I know that you can increase the connections 
 |managed by the kernel of FW-1, I will increase it to 
 |50.000 ( some time ago CheckPoint said to me that it 
 |was the limit... ), but I think the problem is not on that 
 |feature. When I send packets , I send always the 
 |same packet ( same source port, same dest port, 
 |same source address, same dest address , same 
 |sequence number, ... ) so , do you think FW-1 tracks 
 |every packet received as a new connection, or it only 
 |refresh it state table as there was only one 
 |connection ?
Wow, then that's a bug, as "duplicates" should be dropped.

 |Moreover, ippacket generates packets at a very high 
 |rate, and I do not believe FW-1 ( and many other 
 |firewalls ) is able to manage this flood of SYN 
 |requests.
Yep, some firewalls don't even do wire speed, and many can't
cope when it's all small packets.

 |"RTFM" ---> Yes, I read it loooong time ago, ... have 
 |you at least tried to apply the D.o.S. that I describe ?

No need, on a Pix I've seen it hang because of a single Nimda'd
box! When you limit the connection table size, down to a single
host, then resource exhaustion just freezes comms for that host
for a little while.  I don't think you can do it for a CPK box,
which is a design feature (fully-shared vs. allocated table space)
- somewhere in between would be nice.

Sorry for the comment, it's was a long day, and your points
seemed (fairly) obvious.  Of course, if duplicate packets are
causing a problem, then that's a big bug.

Dom