Firewall Wizards mailing list archives

RE: CERT vulnerability note VU# 539363

From: "Stephen Gill" <gillsr () yahoo com>
Date: Wed, 16 Oct 2002 17:00:10 -0500

In V4.0 the syntax has changed somewhat for the aforementioned command,
though the concept still applies...

set zone <zone> screen limit-session source-ip-based <threshold>

I've requested something like 

set zone <zone> screen limit-session dest-ip-based <threshold>

but I've not seen it in code yet.  If I'm not mistaken I believe CP has
added the ability to do both recently.

-- steve

----------------

From: "Philip J. Koenig" <pjklist () ekahuna com>
Organization: The Electric Kahuna Organization
To: firewall-wizards () honor icsalabs com
Date: Wed, 16 Oct 2002 11:50:41 -0700
Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363
Reply-To: pjklist () ekahuna com

Date: Wed, 16 Oct 2002 15:53:37 +0200
From: Daniel Hartmeier <daniel () benzedrine cx>

On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote:

In my opinion if a stateful firewall claims it can filter at rate X 
(64byte packets, etc...), it should be able to filter at that rate 
under all conditions.


Obviously, for any X, when each packet is part of a TCP handshake, the

X/2 (or /3, depending on how you count) newly established connections 
per second will exhaust memory on the firewall after a certain amount 
of time.

I don't think you meant 'be able to filter at that rate' to include 
'dropping legitimate connections when running out of memory', did you?

I'd like to learn some of the other methods being used for 
mitigation amongst vendors.


Yes, that's what I'd find most intersting to read in vendor statements

myself. :)

Daniel



In addition to a syn-flood prevention thingy which at a user-
configurable threshold will start dropping X percent of new SYN 
connections, Netscreen has a feature where you can limit the number 
of sessions a particular IP address can generate, ie:

    set firewall session-threshold source-ip-based 1000


This would seem to be helpful for various things (ie code-red 
infected internal hosts), unless you're getting a random IP-address-
spoofed incoming DoS.

--
Philip J. Koenig                                       
pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New 
Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: CERT vulnerability note VU# 539363, (continued)
- - - Re: CERT vulnerability note VU# 539363 Daniel Hartmeier (Oct 16)
    - Re: CERT vulnerability note VU# 539363 Paul D. Robertson (Oct 16)
    - RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
    - Re: CERT vulnerability note VU# 539363 Frank Knobbe (Oct 16)
    - Re: CERT vulnerability note VU# 539363 Paul Robertson (Oct 16)
  - Re: CERT vulnerability note VU# 539363 Martin (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
  - Re: CERT vulnerability note VU# 539363 Mikael Olsson (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
- Re: CERT vulnerability note VU# 539363 Philip J. Koenig (Oct 16)
- RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 16)
  - RE: CERT vulnerability note VU# 539363 Philip J. Koenig (Oct 16)
    - RE: CERT vulnerability note VU# 539363 Stephen Gill (Oct 17)