"Scott, Richard" wrote: > > Sure this is the case if you have a rule set that has something like. Let > in a packet that is bound to some address range. > If I have a rule set that is host based, allowing only a few specific IP > address's in the DoS attack is limited? True, but all an attacker has to do is DoS a legitimate server (say IIS, pick your favorite vulnerability ;) which sits behind the firewall and is accessible from the Internet. Once the machine stops responding, the firewall is a sitting target as I now have an inbound "allow" rule to an IP address which is not responding (the attack does not require full subnet scanning). DoS mode is achievable which takes out all inbound and outbound traffic. > Increasing the size of the connections allowed in the table may only reduce > the possibility of the attack. Why not increase the number such that it is > greater than what your bandwidth can handle (advocated by firewall people > here). Not that easy to do. The default TCP time out is one hour. You can adjust this lower, but by doing so you run the risk of breaking FTP which relies on this time out to keep the command session active during large file transfers. This means that you can easily DoS a firewall sitting on the other end of a 56K connection even if you double the size of the state table. Its the same type of problem you encounter when trying to modify your systems to be immune to SYN attacks. Also, this is not just a Firewall-1 thing. _Any_ firewall device which attempts to maintain state is going to have similar problems. Cheers, Chris -- ************************************** cbrentonat_private * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:39 PDT