Re: Simple DOS attack on FW-1

From: Rogier Wolff (R.E.Wolffat_private)
Date: Wed Aug 04 1999 - 02:56:24 PDT

Next message: Steve Birnbaum: "Re: FW-1 DOS attack: PART II"

Previous message: The Tech-Admin Dude: "Re: Cisco 675 password nonsense"
Next in thread: Anonymous: "Re: Simple DOS attack on FW-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lance Spitzner wrote:
> > Also, if they implemented a circular buffer where connections that had
> > been idle the longest were disconnected in favor of new connections their
> > scalability might increase some.
>
> Excellent recommendation, I'll pass it along to Check Point!

That means I can still DOS a site: If I send 500 packets a second, I
can wrap the connection table in 100 seconds. That means that the
idle-timer is reduced from an hour to less than two minutes.

The only solution is to only allow the longer timeout once BOTH sides
have sent a packet.

			Roger.

--
** R.E.Wolffat_private ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------

Next message: Steve Birnbaum: "Re: FW-1 DOS attack: PART II"
Previous message: The Tech-Admin Dude: "Re: Cisco 675 password nonsense"
Next in thread: Anonymous: "Re: Simple DOS attack on FW-1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:03 PDT