Bugtraq mailing list archives

Re: Simple DOS attack on FW-1

From: lease () 31337 COM (Victoria E. Lease)
Date: Tue, 3 Aug 1999 08:51:30 -0500


[Lance Spitzner]

On Fri, 30 Jul 1999, Jeff Roberson wrote:

Also, if they implemented a circular buffer where connections that had
been idle the longest were disconnected in favor of new connections their
scalability might increase some.


Excellent recommendation, I'll pass it along to Check Point!


Neat idea. Am I the only person who sees the potential for even further abuse
if this 'feature' is added?

Wouldn't this allow DoS attackers to not only keep new connections from
being established, but also to forcefully close already-established valid
connections? Or am I missing something?

I think it might work, though, if non-established, ie only two of three
handshakes completed, connections were kept in a circular buffer. That way,
the worst abuse that could happen would be for DoS'ers to incur a *chance*
of established connections failing, and they wouldn't be able to affect
already-established connections. They'd have to keep hammering at the
unestablished-connection buffer, and very quickly, too, in order to keep
valid connections from making it through.

Perhaps this is what was intended by the suggestion in the first place?

Current thread:

Re: Simple DOS attack on FW-1 James Burns (Jul 31)
- <Possible follow-ups>
- Re: Simple DOS attack on FW-1 Chris Brenton (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
- Re: Simple DOS attack on FW-1 Lance Spitzner (Jul 31)
  - Re: Simple DOS attack on FW-1 Victoria E. Lease (Aug 03)
  - Re: Simple DOS attack on FW-1 Rogier Wolff (Aug 04)
    - Re: Simple DOS attack on FW-1 David Maxwell (Aug 05)
- Re: Simple DOS attack on FW-1 Shin'ichi Asano (Aug 01)
- Re: Simple DOS attack on FW-1 Olaf Selke (Aug 01)
- Re: Simple DOS attack on FW-1 Anonymous (Aug 04)
- Re: Simple DOS attack on FW-1 Michael Wojcik (Aug 05)