Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Simple DOS attack on FW-1
From: Richard.Scott () BESTBUY COM (Scott, Richard)
Date: Fri, 30 Jul 1999 15:19:03 -0500

        I've stumbled across a simple Denial of Service attack for
        FW-1, many of you may already be aware of this.  You can
        effectively shutdown FW-1 by filling its connections table.
        This is easily done in about 15 minutes with most port
        When FW-1's state connections table is full, it can no longer
        accept any more connections (usually between 25,000-35,000
        connections, depending on your system). You can increase this
        number by increasing kernel memory for the FW-1 module and
        hacking ../lib/table.def) However, a port scanner can build
        that many connections in a manner of minutes.

Sure this is the case if you have a rule set that has something like.  Let
in a packet that is bound to some address range.
If I have a rule set that is host based, allowing only a few specific IP
address's in the DoS attack is limited?

Increasing the size of the connections allowed in the table may only reduce
the possibility of the attack.  Why not increase the number such that it is
greater than what your bandwidth can handle (advocated by firewall people


Richard Scott   
(I.S.) E-Commerce Team
* Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

This '|' is not a pipe



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]