RE: Sessions Resource Exhaustion

Please read the definition of DoS Attacks.

        I believe any firewall will be a victim if we setup a test launching
the attack in LAB and let the resources tanked. 

        IPS can take care of many of these but an attacker can still modify
the packet size and exhaust memory due to large packet size.

        Hence when buying these solutions one need to understand the network
architect of their network, available bandwidth and number of session vs.
resources calculations to size their firewall and IPS solution. This would
create enough cushions for an administrator to react and remedy an attack.

Regards
Ahsan Khan
ahsank@jahil.net




-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Nelson Brito
Sent: Friday, October 12, 2007 12:51 PM
To: 'Ravi Chunduru'; focus-ids@securityfocus.com
Subject: RE: Sessions Resource Exhaustion

No, it does not mean the IPS and/or Firewall is vulnerable... It means that
the IPS and/or Firewall was designed to handle this amount. In fact, before
you blame the IPS and/or Firewall you should consult the specifications to
be sure you are reaching the device's limit. 

If the limit differs of the specification then you have a design flaw, and
you can say that it is vulnerable, otherwise it means that the IPS and/or
Firewall is designed to work in small business, and if you need, want or
desire to handle more connections / sessions you, or even the IPS and/or
Firewall designer (usually the vendor or the partner), should do the home
work...

Just to add more in this topic, I want to point that sessions limitations is
difficult to understand and address if you don't know what exactly is the
environment you are try to protect. In some cases you have extraordinary
complex environments that you have to study deeply to do your device sizing.

Best regards.

Nelson Brito
nbrito@sekure.org
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Ravi Chunduru
> Sent: Thursday, October 11, 2007 1:14 PM
> To: focus-ids@securityfocus.com
> Subject: Sessions Resource Exhaustion
>
> using simple tools such as hping2 and others, i am able to exhaust
> session resources in some firewall and IPS devices. some firewalls and
> IPS devices addressing small business market segments seems to be
> supporting maximum of 10000 sessions.  these devices are not allowing
> any new connections if all 10000 sessions are used up.
>
> can i say that these devices are vulnerable to simple DoS attacks?
>
> thanks
> Ravi
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=
> intro_sfw
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------