Vulnerability Development mailing list archives
RE: Firewall-1 and ISA D.o.S.
From: "Jim Harrison (SPG)" <jmharr () microsoft com>
Date: Mon, 18 Feb 2002 08:53:50 -0800
Interesting DoS (similar in concept to the UDP flood that thor () hammerofgod com reported a few months ago), but how would you have the developers deal with it? Every packet that is seen by any firewall takes some CPU time to examine and decide what to do with it. Granted, under normal circumstances, this processing overhead is "assumed" and the performance specs for the device take that into account. <rant> Under situations where there is some jerk in the LAN that has decided to dump his job and leaves such a bomb lying in wait (really stupid to do it while he's still there), it's easily blocked at the network level so that the firewall doesn't have to deal with it. Tracking down this sort of game is comparatively simple and I'd personally take great pleasure in defenestrating that particular jackass. </rant> * Jim Harrison MCP(NT4, 2K), A+, Network+ Services Platform Group Never be afraid to try something new. Remember that amateurs built the Ark. Professionals built the Titanic. -----Original Message----- From: overclocking_a_la_abuela () hotmail com [mailto:overclocking_a_la_abuela () hotmail com] Sent: Monday, February 18, 2002 04:43 To: vuln-dev () securityfocus com Subject: Re: Firewall-1 and ISA D.o.S. In-Reply-To: <3.0.5.32.20020218085949.012f4100@192.228.128.13> When you stop the attack, the firewall recovers, but think that in the case of ISA D.o.S. I´m sending spoofed packets so it will be more difficult to find the attacker ( if you have not IDS or similar ). Suppose the length of the D.o.S. is 1 hour... nobody can surf the web, you can not access the ISA..., probably no VPN,... Think about it. Hugo Vázquez Caramés Security Consultant
Received: (qmail 19118 invoked from network); 18
Feb 2002 06:09:16 -0000
Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
by mail.securityfocus.com with SMTP; 18 Feb
2002 06:09:16 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix)
with QMQP
id 1EBEAA44EF; Sun, 17 Feb 2002
21:25:10 -0700 (MST)
Mailing-List: contact vuln-dev-
help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev () securityfocus com>
List-Help: <mailto:vuln-dev-
help () securityfocus com>
List-Unsubscribe: <mailto:vuln-dev-
unsubscribe () securityfocus com>
List-Subscribe: <mailto:vuln-dev-
subscribe () securityfocus com>
Delivered-To: mailing list vuln-
dev () securityfocus com
Delivered-To: moderator for vuln-
dev () securityfocus com
Received: (qmail 24253 invoked from network); 18
Feb 2002 00:53:21 -0000
Message-Id: <3.0.5.32.20020218085949.012f410
Current thread:
- Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 17)
- RE: Firewall-1 and ISA D.o.S. Dom De Vitto (Feb 17)
- Re: Firewall-1 and ISA D.o.S. Lincoln Yeoh (Feb 17)
- <Possible follow-ups>
- Re: Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 18)
- RE: Firewall-1 and ISA D.o.S. Dom De Vitto (Feb 18)
- Re: Firewall-1 and ISA D.o.S. overclocking_a_la_abuela (Feb 18)
- Re: Firewall-1 and ISA D.o.S. Lincoln Yeoh (Feb 18)
- RE: Firewall-1 and ISA D.o.S. Jim Harrison (SPG) (Feb 18)