IDS mailing list archives
RE: Sessions Resource Exhaustion
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Fri, 12 Oct 2007 15:55:40 -0700
Hi, Before you consider these devices vulnerable, I suggest you to check the configuration you had on these devices. Note that many devices provide several options to reduce the impact of these kinds of attacks. These attacks are called DDOS attacks as they can originate from single source or multiple sources. Packets sent by these attacks look like legitimate traffic and hence can't be isolated by doing any deep inspection of packets. These attacks are mainly intended to exhaust resources in targeted devices or network. Security devices are no exception if enough precautions are not taken - Selecting right security device and configuring the security device based on kind of traffic expected in the network. (See below) Multiple types of defenses are required in a security device to protect itself or protect internal networked resources. If your security devices do not have these defenses, either you need to look for device having this functionality or deploy dedicated DDOS appliances in front of security devices. Thanks Srini ---------------------------------------------------------------------------- Types of flood attacks and defenses one should look for: TCP SYN flood: There are multiple tools available to send large number of SYN packets with random source IP addresses. If security device creates a session for every SYN Packet, it can quickly exhaust its state tables and does not allow any more connections to resources it is supposed to protect. A security device must have facility to defend against this flood. There are two methods followed - Randomly dropping SYN packets and providing SYN-COOKIE mechanism. Look for both. SYN Cookie provides a mechanism by which it sends cookie as part of SYN ACK packet and creates session only when client ACK is received with this cookie. Sequence number field is used to send the cookie. With this mechanism, security device can protect itself from SYN packet floods. [1] TCP Connection floods: TCP connection is the one where three-way TCP handshake is completed. Devices consider them as genuine and there is no simple way for devices to decide legitimate versus illegitimate connections. Administrators need to know typical connection load for each service+server combination and tune security device to alert him/her once this condition is reached. Companies can take action by informing their local service provider and/or administrators can create filtering rules to block attacking IP addresses. In addition, filtering on source IP addresses using IP lists such as BOGON, Botnets will help in reducing the impact of this attack. [2] UDP floods (and other non-connection oriented floods): There is no connection establishment phase in UDP. If UDP traffic is allowed, then it is one easy way to exhaust state tables. Since it does not have connection establishment, TCP SYN flood defenses can't be used here. Here too, you need to know whether any UDP services are present in your network and tune configuration of your security device to alert you once certain number of states is used for UDP service+server combination. It is also good practice to limit number of sessions for all UDP connections for providing smooth TCP connectivity. [2] Also, it is good practice to configure inactivity timeouts for services. Many products provide configurability of inactivity timeouts for services and for different stages of TCP connection. If you are allowing interactive applications such as SSH etc.., then configure higher timeout value, but limit number of SSH connections. Typically attackers tend to take advantage of these connections to fill up device state tables. For non-interactive applications such as HTTP, SMTP and others, lesser inactivity timeout values can be set. [3] Intrupro-IPS software provides configurability to provide defense against above flood attacks [1][2][3] and much more. Not only it alerts administrators when DDOS is detected, but also rate limits the traffic immediately. Having said, the defense is good only if it is configured well, especially for TCP connection floods and UDP floods. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Thursday, October 11, 2007 9:14 AM To: focus-ids () securityfocus com Subject: Sessions Resource Exhaustion using simple tools such as hping2 and others, i am able to exhaust session resources in some firewall and IPS devices. some firewalls and IPS devices addressing small business market segments seems to be supporting maximum of 10000 sessions. these devices are not allowing any new connections if all 10000 sessions are used up. can i say that these devices are vulnerable to simple DoS attacks? thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Sessions Resource Exhaustion, (continued)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)
- Re: Sessions Resource Exhaustion Rahul K (Oct 16)
- Re: Sessions Resource Exhaustion Control Zed (Oct 18)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 12)
- Re: Sessions Resource Exhaustion K K (Oct 15)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 15)
- RE: Sessions Resource Exhaustion Ahsan Khan (Oct 15)
- Re: Sessions Resource Exhaustion Roland Dobbins (Oct 16)
- RE: Sessions Resource Exhaustion Nelson Brito (Oct 16)
- Re: Sessions Resource Exhaustion K K (Oct 15)
- Re: Sessions Resource Exhaustion jean-philippe luiggi (Oct 15)
- RE: Sessions Resource Exhaustion Srinivasa Addepalli (Oct 15)
- Re: Sessions Resource Exhaustion Ravi Chunduru (Oct 16)