Bugtraq mailing list archives

Re: Simple DOS attack on FW-1

From: jroberson () CHESAPEAKE NET (Jeff Roberson)
Date: Fri, 30 Jul 1999 20:06:37 -0400


It seems to me that if they maintain TCP state they could set a
significantly smaller timeout if the connection is not established. So a
timeout of a minute should be set on the initial syn request, and the
larger timeout should only be used after the connection is established.
Also, if they implemented a circular buffer where connections that had
been idle the longest were disconnected in favor of new connections their
scalability might increase some.

Jeff

On Fri, 30 Jul 1999, David Taylor wrote:

On Thu, 29 Jul 1999, Lance Spitzner wrote:

When FW-1's state connections table is full, it can no longer
accept any more connections (usually between 25,000-35,000
connections, depending on your system). You can increase this
number by increasing kernel memory for the FW-1 module and
hacking ../lib/table.def) However, a port scanner can build
that many connections in a manner of minutes.

Current thread:

Re: Simple DOS attack on FW-1 David Taylor (Jul 29)
- Internet Explorer 5.0 HTML Applications Bryan Batchelder (Jul 30)
- World writable root owned script in SalesBuilder (RedHat 6.0) smaster () SAIL IT (Jul 30)
- Possible Denial Of Service using DNS smaster () SAIL IT (Jul 30)
- Re: Simple DOS attack on FW-1 Jeff Roberson (Jul 30)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Scott, Richard (Jul 30)
- Re: Simple DOS attack on FW-1 Jason R. Rhoads (Jul 30)