RE: Sessions Resource Exhaustion

["Srinivasa Addepalli" <srao () intoto com>]

Hi,

Before you consider these devices vulnerable, I suggest you to check the
configuration you had on these devices. Note that many devices provide
several options to reduce the impact of these kinds of attacks. 

These attacks are called DDOS attacks as they can originate from single
source or multiple sources. Packets sent by these attacks look like
legitimate traffic and hence can't be isolated by doing any deep inspection
of packets. These attacks are mainly intended to exhaust resources in
targeted devices or network. Security devices are no exception if enough
precautions are not taken - Selecting right security device and configuring
the security device based on kind of traffic expected in the network. (See
below)

Multiple types of defenses are required in a security device to protect
itself or protect internal networked resources. If your security devices do
not have these defenses, either you need to look for device having this
functionality or deploy dedicated DDOS appliances in front of security
devices.

Thanks
Srini

----------------------------------------------------------------------------

Types of flood attacks and defenses one should look for:

TCP SYN flood:  There are multiple tools available to send large number of
SYN packets with random source IP addresses. If security device creates a
session for every SYN Packet, it can quickly exhaust its state tables and
does not allow any more connections to resources it is supposed to protect.
A security device must have facility to defend against this flood. There are
two methods followed - Randomly dropping SYN packets and providing
SYN-COOKIE mechanism. Look for both. SYN Cookie provides a mechanism by
which it sends cookie as part of SYN ACK packet and creates session only
when client ACK is received with this cookie. Sequence number field is used
to send the cookie. With this mechanism, security device can protect itself
from SYN packet floods. [1]

TCP Connection floods: TCP connection is the one where three-way TCP
handshake is completed. Devices consider them as genuine and there is no
simple way for devices to decide legitimate versus illegitimate connections.

Administrators need to know typical connection load for each service+server
combination and tune security device to alert him/her once this condition is
reached. Companies can take action by informing their local service provider
and/or administrators can create filtering rules to block attacking IP
addresses.  In addition, filtering on source IP addresses using IP lists
such as BOGON, Botnets will help in reducing the impact of this attack. [2]

UDP floods (and other non-connection oriented floods): There is no
connection establishment phase in UDP. If UDP traffic is allowed, then it is
one easy way to exhaust state tables. Since it does not have connection
establishment, TCP SYN flood defenses can't be used here. Here too, you need
to know whether any UDP services are present in your network and tune
configuration of your security device to alert you once certain number of
states is used for UDP service+server combination. It is also good practice
to limit number of sessions for all UDP connections for providing smooth TCP
connectivity. [2]

Also, it is good practice to configure inactivity timeouts for services.
Many products provide configurability of inactivity timeouts for services
and for different stages of TCP connection.  If you are allowing interactive
applications such as SSH etc.., then configure higher timeout value, but
limit number of SSH connections. Typically attackers tend to take advantage
of these connections to fill up device state tables. For non-interactive
applications such as HTTP, SMTP and others, lesser inactivity timeout values
can be set. [3]


Intrupro-IPS software provides configurability to provide defense against
above flood attacks [1][2][3] and much more.  Not only it alerts
administrators when DDOS is detected, but also rate limits the traffic
immediately. Having said, the defense is good only if it is configured well,
especially for TCP connection floods and UDP floods.




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravi Chunduru
Sent: Thursday, October 11, 2007 9:14 AM
To: focus-ids () securityfocus com
Subject: Sessions Resource Exhaustion

using simple tools such as hping2 and others, i am able to exhaust
session resources in some firewall and IPS devices. some firewalls and
IPS devices addressing small business market segments seems to be
supporting maximum of 10000 sessions.  these devices are not allowing
any new connections if all 10000 sessions are used up.

can i say that these devices are vulnerable to simple DoS attacks?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------