Interesting DoS (similar in concept to the UDP flood that thorat_private reported a few months ago), but how would you have the developers deal with it? Every packet that is seen by any firewall takes some CPU time to examine and decide what to do with it. Granted, under normal circumstances, this processing overhead is "assumed" and the performance specs for the device take that into account. <rant> Under situations where there is some jerk in the LAN that has decided to dump his job and leaves such a bomb lying in wait (really stupid to do it while he's still there), it's easily blocked at the network level so that the firewall doesn't have to deal with it. Tracking down this sort of game is comparatively simple and I'd personally take great pleasure in defenestrating that particular jackass. </rant> * Jim Harrison MCP(NT4, 2K), A+, Network+ Services Platform Group Never be afraid to try something new. Remember that amateurs built the Ark. Professionals built the Titanic. -----Original Message----- From: overclocking_a_la_abuelaat_private [mailto:overclocking_a_la_abuelaat_private] Sent: Monday, February 18, 2002 04:43 To: vuln-devat_private Subject: Re: Firewall-1 and ISA D.o.S. In-Reply-To: <3.0.5.32.20020218085949.012f4100at_private> When you stop the attack, the firewall recovers, but think that in the case of ISA D.o.S. I´m sending spoofed packets so it will be more difficult to find the attacker ( if you have not IDS or similar ). Suppose the length of the D.o.S. is 1 hour... nobody can surf the web, you can not access the ISA..., probably no VPN,... Think about it. Hugo Vázquez Caramés Security Consultant >Received: (qmail 19118 invoked from network); 18 Feb 2002 06:09:16 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.27) > by mail.securityfocus.com with SMTP; 18 Feb 2002 06:09:16 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 1EBEAA44EF; Sun, 17 Feb 2002 21:25:10 -0700 (MST) >Mailing-List: contact vuln-dev- helpat_private; run by ezmlm >Precedence: bulk >List-Id: <vuln-dev.list-id.securityfocus.com> >List-Post: <mailto:vuln-devat_private> >List-Help: <mailto:vuln-dev- helpat_private> >List-Unsubscribe: <mailto:vuln-dev- unsubscribeat_private> >List-Subscribe: <mailto:vuln-dev- subscribeat_private> >Delivered-To: mailing list vuln- devat_private >Delivered-To: moderator for vuln- devat_private >Received: (qmail 24253 invoked from network); 18 Feb 2002 00:53:21 -0000 >Message-Id: <3.0.5.32.20020218085949.012f410
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 13:56:35 PST