In V4.0 the syntax has changed somewhat for the aforementioned command, though the concept still applies... set zone <zone> screen limit-session source-ip-based <threshold> I've requested something like set zone <zone> screen limit-session dest-ip-based <threshold> but I've not seen it in code yet. If I'm not mistaken I believe CP has added the ability to do both recently. -- steve ---------------- From: "Philip J. Koenig" <pjklistat_private> Organization: The Electric Kahuna Organization To: firewall-wizardsat_private Date: Wed, 16 Oct 2002 11:50:41 -0700 Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363 Reply-To: pjklistat_private > Date: Wed, 16 Oct 2002 15:53:37 +0200 > From: Daniel Hartmeier <danielat_private> > > On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote: > > > In my opinion if a stateful firewall claims it can filter at rate X > > (64byte packets, etc...), it should be able to filter at that rate > > under all conditions. > > Obviously, for any X, when each packet is part of a TCP handshake, the > X/2 (or /3, depending on how you count) newly established connections > per second will exhaust memory on the firewall after a certain amount > of time. > > I don't think you meant 'be able to filter at that rate' to include > 'dropping legitimate connections when running out of memory', did you? > > > I'd like to learn some of the other methods being used for > > mitigation amongst vendors. > > Yes, that's what I'd find most intersting to read in vendor statements > myself. :) > > Daniel In addition to a syn-flood prevention thingy which at a user- configurable threshold will start dropping X percent of new SYN connections, Netscreen has a feature where you can limit the number of sessions a particular IP address can generate, ie: set firewall session-threshold source-ip-based 1000 This would seem to be helpful for various things (ie code-red infected internal hosts), unless you're getting a random IP-address- spoofed incoming DoS. -- Philip J. Koenig pjklistat_private Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 15:07:02 PDT