mailing list archives
Re: Simple DOS attack on FW-1
From: jroberson () CHESAPEAKE NET (Jeff Roberson)
Date: Fri, 30 Jul 1999 20:06:37 -0400
It seems to me that if they maintain TCP state they could set a
significantly smaller timeout if the connection is not established. So a
timeout of a minute should be set on the initial syn request, and the
larger timeout should only be used after the connection is established.
Also, if they implemented a circular buffer where connections that had
been idle the longest were disconnected in favor of new connections their
scalability might increase some.
On Fri, 30 Jul 1999, David Taylor wrote:
On Thu, 29 Jul 1999, Lance Spitzner wrote:
When FW-1's state connections table is full, it can no longer
accept any more connections (usually between 25,000-35,000
connections, depending on your system). You can increase this
number by increasing kernel memory for the FW-1 module and
hacking ../lib/table.def) However, a port scanner can build
that many connections in a manner of minutes.