On Wed, 16 Oct 2002, Paul D. Robertson wrote: > On Wed, 16 Oct 2002, Mikael Olsson wrote: > > > Although this is something that people need to keep in mind when > > picking / designing a firewall, I'd argue that anything north of > > a stateless packet filter is going to be vulnerable to these sort > > of attacks. > > So will anything south of a firewall- hosts aren't immune to flooding > attacks either, with our without state, nor are routers... > > > If you keep state, you will be vulnerable to state table overflows. > > I don't know that "overflow" is the right word here, "exhaustion" seems > more fitting. > > When I first looked at this, I kind of shrugged and said "So what?" the > firewall is doing its job- stopping packets when there's an attack- > Although the second technique mentions the CRC host after the firewall attack seems to indicate otherwise, as the packets leave the gateway and hit the host, which then rejects the packets. It's that method that seems to be different, and perhaps an issue vendors now need to look into dealing with. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 07:19:43 PDT