RE: Sessions Resource Exhaustion

> Exactly.  All choke points have their limit.
> If you have a 100 megabit uplink to the Internet and a distributed
> attacker
> is able to source 110mbps of spoofed DoS traffic, that doesn't mean your
> firewall is "vulnerable" to a pure noise DoS flood.

I don't believe it is possible to reach 110 Mbps in a 100 Mbps uplink, so we
still don't have DoS. This kind of DoS, which makes your uplink reach the
maximum throughput possible, is not protected by IPS and/or Firewall
devices. It should be addressed by another strategy.

> But a well-designed Firewall shouldn't fall over under a sustained DoS,
> should have a well-implemented state engine, synproxy, and RED,
> such that under most types of DoS traffic, legitimate sessions still
> have a chance to get through.

I didn't say that, I said you should be sure you have the appropriate
Firewall to owkr in your environment, so be sure you have a 100 Mbps
Firewall to handle 100 Mbps link instead of trying for a miracle with a 10
Mbps in a 100 Mbps link. It sounds like a VW Beatle racing against a Ferrari
in F1 GP.

Nelson Brito


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------