IDS mailing list archives
Re: Sessions Resource Exhaustion
From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Sat, 13 Oct 2007 00:04:58 -0700
On 10/12/07, H D Moore <sflist () digitaloffense net> wrote:
This is called marketing :-) If you want to support DoS attacks consisting of more 10,000 sessions, you must upgrade to a more expensive box. Even the very high-end IPS products start hitting session limits after 1-2 million concurrent sessions[1].
i understand :-). is it not too expensive for small and medium businesses?
Session limits are common across a wide range of routers, firewalls, and inline security devices. Most devices based on BSD/ipf have a hard limit in terms of number of sessions. IIRC, the Linux iptables code will dump old sessions in favor of new (when using NAT), so there is no stoppage, but connections can get dropped.
These devices tend to be easy to DoS, but in most cases,a single service behind the device stops accepting connections before the device's own state table is filled.
If you can fill the state table using just SYN packets (without doing a full session setup), then the device in question is just crap :-)
i could not exhaust state tables with TCP. I sent UDP:500 traffic with different source ports to fill up the state table. It makes me wonder whether may stateful devices are vulnerable to these kinds of attacks.
-HD 1. <spam>My company's product (the BPS-1000) tests up to 5,000,000 concurrent application sessions at once. In the lab, we see very few products that can handle more than 500,000. Our new 10G product (BPS-10000) can push 7,500,000 concurrent sessions.</spam> On Thursday 11 October 2007, Ravi Chunduru wrote:can i say that these devices are vulnerable to simple DoS attacks?------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Sessions Resource Exhaustion Ravi Chunduru (Oct 12)
- Re: Sessions Resource Exhaustion Andrew Hay (Oct 12)
- Re: Sessions Resource Exhaustion H D Moore (Oct 12)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
- Re: Sessions Resource Exhaustion Rahul K (Oct 16)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)
- Re: Sessions Resource Exhaustion Rahul K (Oct 16)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 15)
- Re: Sessions Resource Exhaustion Control Zed (Oct 18)
- Re: Sessions Resource Exhaustion K K (Oct 15)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 15)
- RE: Sessions Resource Exhaustion Ahsan Khan (Oct 15)
- Re: Sessions Resource Exhaustion Roland Dobbins (Oct 16)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 16)