> Date: Wed, 16 Oct 2002 15:53:37 +0200 > From: Daniel Hartmeier <danielat_private> > > On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote: > > > In my opinion if a stateful firewall claims it can filter at rate X > > (64byte packets, etc...), it should be able to filter at that rate under > > all conditions. > > Obviously, for any X, when each packet is part of a TCP handshake, the X/2 > (or /3, depending on how you count) newly established connections per > second will exhaust memory on the firewall after a certain amount of time. > > I don't think you meant 'be able to filter at that rate' to include > 'dropping legitimate connections when running out of memory', did you? > > > I'd like to learn some of the other methods being used for mitigation > > amongst vendors. > > Yes, that's what I'd find most intersting to read in vendor statements > myself. :) > > Daniel In addition to a syn-flood prevention thingy which at a user- configurable threshold will start dropping X percent of new SYN connections, Netscreen has a feature where you can limit the number of sessions a particular IP address can generate, ie: set firewall session-threshold source-ip-based 1000 This would seem to be helpful for various things (ie code-red infected internal hosts), unless you're getting a random IP-address- spoofed incoming DoS. -- Philip J. Koenig pjklistat_private Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 14:14:56 PDT