Re: Firewall-1 and ISA D.o.S.

[Lincoln Yeoh <lyeoh () pop jaring my>]

At 12:43 PM 18-02-2002 -0000, overclocking_a_la_abuela () hotmail com wrote:
> In-Reply-To: <3.0.5.32.20020218085949.012f4100@192.228.128.13>
>
> When you stop the attack, the firewall recovers, but 
> think that in the case of ISA D.o.S. I´m sending 
> spoofed packets so it will be more difficult to find the 
> attacker ( if you have not IDS or similar  ).

How fast are the packets being sent? 10Mbps? Or something a lot lower like
100kbps?

If it's low then it's a problem, if 10Mbps then in most cases I still don't
think it's a big problem (unless your firewall is supposed to be a 100Mbps
or 1Gbps rate firewall - is the firewall tested speced for 100Mbps?).

Have you tried rate limiting the packets to see if you can get the same
effects at lower bandwidths? That would be interesting.

Because with high bandwidth usage and the transient effects it shouldn't be
too difficult to quickly figure out which port to unplug/disable - unplug
the right blinking port and everything is back to normal. 

If the attacker is inside then if it keeps happening, it might not be as
difficult to find the perpetrator... If the attacker an external and
sending a trojan inside then in the case of the ISA (or if proxy servers
are required) the attacker has to figure out the relevant internal IPs. 

Furthermore if the attacker can successfully plant a trojan inside, a
transient DoS like this would be welcome compared to all the other things
possible (e.g. remote controlled trojan). Almost like someone sneaking in
to the office and shouting continuously "arrest me".

Cheerio,
Link,