Re: Sessions Resource Exhaustion

On 10/12/07, Nelson Brito <nbrito@sekure.org> wrote:
> No, it does not mean the IPS and/or Firewall is vulnerable... It means that
> the IPS and/or Firewall was designed to handle this amount.

Exactly.  All choke points have their limit.
If you have a 100 megabit uplink to the Internet and a distributed attacker
is able to source 110mbps of spoofed DoS traffic, that doesn't mean your
firewall is "vulnerable" to a pure noise DoS flood.


> In fact, before you blame the IPS and/or Firewall you should
> consult the specifications to be sure you are reaching the device's limit.

But a well-designed Firewall shouldn't fall over under a sustained DoS,
should have a well-implemented state engine, synproxy, and RED,
such that under most types of DoS traffic, legitimate sessions still
have a chance to get through.

On 10/12/07, H D Moore <sflist@digitaloffense.net> wrote:
> If you can fill the state table using just SYN packets (without doing a
> full session setup), then the device in question is just crap :-)

No argument here.


Kevin

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------