Re: Simple DOS attack on FW-1

From: Jason R. Rhoads (jason.rhoadsat_private)
Date: Fri Jul 30 1999 - 18:48:00 PDT

Next message: Matt: "Re: NT DoS on FW-1 (fwd)"

Previous message: Microsoft Product Security Response Team: "Update: MS Office 97 Vulnerability"
Maybe in reply to: Lance Spitzner: "Simple DOS attack on FW-1"
Next in thread: Chris Brenton: "Re: Simple DOS attack on FW-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table.  When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses.  The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.

Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:

  #!/bin/sh
  # FW-1 Start
  if [ -f /etc/fw/bin/fwstart ]; then
    FWDIR=/etc/fw
    export FWDIR
    /etc/fw/bin/fwstart
    /etc/fw/bin/fwconwatch.pl&
  fi
  # FW-1 END


fwconwatch can be found here: http://www.sabernet.net/software/

Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html

Regards,
Jason

Next message: Matt: "Re: NT DoS on FW-1 (fwd)"
Previous message: Microsoft Product Security Response Team: "Update: MS Office 97 Vulnerability"
Maybe in reply to: Lance Spitzner: "Simple DOS attack on FW-1"
Next in thread: Chris Brenton: "Re: Simple DOS attack on FW-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:36 PDT