On Fri, 30 Jul 1999, Scott, Richard wrote: > > Sure this is the case if you have a rule set that has something like. Let > in a packet that is bound to some address range. > If I have a rule set that is host based, allowing only a few specific IP > address's in the DoS attack is limited? Very true, the more strict the rulebase, the better. However, most rulebases are very lenient for outbound traffic. Many Firewalls let any internal system go anywhere on port 80, allowing company employees external access to the world wide web. This DOS attack is based more on an internal threat. However, it is easy for an admin to accidently set of this DOS by doing a simple port scan from the inside. That is how I discovered this DOS, by accidently shooting myself in the foot. I received various emails from admins stating that they had problems with their firewalls, and now realize they had DOSed themselves. > Increasing the size of the connections allowed in the table may only reduce > the possibility of the attack. Why not increase the number such that it is > greater than what your bandwidth can handle (advocated by firewall people > here). Check point Firewall-1 can only be increased so much. I believe the max is around 50,000 +, but I have not tested/verified this. For additional solutions to this issue, I recommend reviewing my website, as I updated it tonight. http://www.enteract.com/~lspitz/fwtable.html Thanks for the input! Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:48 PDT