It seems to me that this type of problem would be inherent in almost any firewall product. Also, it may be prevalent in any application which does network address translation (NAT), due to the problem of state-information timeout. Cisco's NAT implementation sets a default TTL of 24 hours before the session entry is cleared from the table. (show ip nat translation) This can be lowered (shown at 5 minutes) via the commands: ip nat translation timeout 300 ip nat translation tcp-timeout 300 ip nat translation udp-timeout 300 ip nat translation icmp-timeout 300 This still begs the question, how far do you tune these in order to protect yourself against DOS's from portscanners? > -----Original Message----- > From: Spitzner, Lance [mailto:lanceat_private] > Sent: Saturday, July 31, 1999 8:32 PM > To: BUGTRAQat_private > Subject: Re: FW-1 DOS attack: PART II > > > On 31 Jul 1999, James E McWilliams wrote: > > > Good write up on the page. I have a wild one for you is in > the INSPECT code do you think this problem can be solved? I > am going to start looking at it tonight and see what I can > get going with it. One more question I had is and I only > heard back from one person saying they filled up the > connections on a LINUX proxy based FW in the same matter with > NMAP. I was wondering if this would work on other FW's? > > Excellent question about the use of Inspect, I do not know. I > talked to several hardcore guru's it may be possible. If you > come up with anything, let us know! Meanwhile, I'll be > taking a stab at it myself :) > > As for other FW's I don't know. You would have to learn how > their connections table works. > > > You might be on to something big... > > Bigger then I thought. I hope this doesn't blow up in my face :) > > Lance > http://www.enteract.com/~lspitz >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:57 PDT