I ran into a similar problem. The connections table has a configurable limit, but the xlation table doesn't (FW-1 3.x). Someone in Rumania (I *think* it was) evidently was unhappy with his ISP, so he sent out a virus which would cause the infected machine to spawn a zillion half-open connections to the ISP. For a FW-1 system running NAT, it would cause a DOS when the xlate table filled. It has a hard limit of 25000. Like many others here, I wrote a perl script to dump the xlation table, count the slots for a given machine and sorted it, allowing me to find the culprit. According to Symantec, it is a relatively uncommon virus. "Spitzner, Lance" wrote: > I would greatly appreciate if you could pass this along. > It does a much better job of explaing what the exact > problem/DOS is with FW-1. > . . . . > I would greatly appreciate if anyone could prove/disprove > this. Also, FW-1's SynDefender did not protect against this > attack. > > Lance > http://www.enteract.com/~lspitz -- "Intrinsically lazy, therefore creative" PGP Fingerprint: 22 68 D5 18 7F 3D D2 28 38 97 90 97 17 55 61 59
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:52 PDT