Bugtraq mailing list archives

Re: Simple DOS attack on FW-1

From: jason.rhoads () SABERNET NET (Jason R. Rhoads)
Date: Fri, 30 Jul 1999 18:48:00 -0700


I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table.  When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses.  The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.

Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:

  #!/bin/sh
  # FW-1 Start
  if [ -f /etc/fw/bin/fwstart ]; then
    FWDIR=/etc/fw
    export FWDIR
    /etc/fw/bin/fwstart
    /etc/fw/bin/fwconwatch.pl&
  fi
  # FW-1 END

fwconwatch can be found here: http://www.sabernet.net/software/

Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html

Regards,
Jason

Current thread:

Re: Simple DOS attack on FW-1 David Taylor (Jul 29)
- Internet Explorer 5.0 HTML Applications Bryan Batchelder (Jul 30)
- World writable root owned script in SalesBuilder (RedHat 6.0) smaster () SAIL IT (Jul 30)
- Possible Denial Of Service using DNS smaster () SAIL IT (Jul 30)
- Re: Simple DOS attack on FW-1 Jeff Roberson (Jul 30)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Scott, Richard (Jul 30)
- Re: Simple DOS attack on FW-1 Jason R. Rhoads (Jul 30)