Rahul,
Is it not common to have IPsec VPN Server in typical network deployments?
Regards
Ravi
On 10/15/07, Rahul K <rahulmk@gmail.com> wrote:
On 10/13/07, Ravi Chunduru <ravi.is.chunduru@gmail.com> wrote:
On 10/12/07, H D Moore <sflist@digitaloffense.net> wrote:
If you can fill the state table using just SYN packets (without doing a
full session setup), then the device in question is just crap :-)
i could not exhaust state tables with TCP. I sent UDP:500 traffic
with different source ports to fill up the state table. It makes me
wonder whether may stateful devices are vulnerable to these kinds of
attacks.
UDP may be stateless, but the moment an IPS receives an UDP packet
with some content it would have to initialize and maintain a session
for that packet because the signature matching and other checks have
to kick in. So it is not surprising that you could fill up the state
table with UDP:500 traffic. It is easier to spoof UDP packets than
complete the 3-way TCP handshake, so you may have been able to fill up
the table faster too.
However in your deployment scenario, would you really be allowing
incoming UDP traffic or would your firewall be dropping them before it
is seen by the IPS?
Rahul
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
