RE: [fw-wiz] CERT vulnerability note VU# 539363

From: Stephen Gill (gillsr@yahoo.com)
Date: 10/16/02 

From: "Stephen Gill" <gillsr@yahoo.com>
To: "'R. DuFresne'" <dufresne@sysinfo.com>
Date: Wed Oct 16 10:26:31 2002

Sadly and amazingly the TCP/SYN flood isn't handled well. Or at least
wasn't when the paper was written. Hopefully things have improved
somewhat in some vendors.

-- steve

-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com]
Sent: Wednesday, October 16, 2002 8:52 AM
To: Stephen Gill
Cc: 'Mikael Olsson'; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] CERT vulnerability note VU# 539363

Of course the attacks mentioned in this CERT advisory are not really
traffic limit overloads, but, resource exhaustion techniques. The
tcp/syn
flood method of exhhaustion should be well handled by most firewalls
these
days. But, the newer CRC related method is something even more
interesting. And seems to support the claims of Marcus and Mikeal and
Paul and others about the real depth and breath of the packet logic in
filtering and stateful as well as proxied gateways. From how I read the
CERT, it seems you can have speed and performance, or you can have a
full
examination of the packets and all their settings, but, perhaps not both
at the sametime, so vendors shoot for the former.

Thanks,

Ron DuFresne

On Wed, 16 Oct 2002, Stephen Gill wrote:

> In my opinion if a stateful firewall claims it can filter at rate X
> (64byte packets, etc...), it should be able to filter at that rate
under
> all conditions. Clearly a 100MB firewall that can be overloaded with
> 1MB of traffic is not good. I'd argue that if a 100MB firewall can be
> overloaded with 34MB of traffic, it's also not a good thing. But then
> again, even 100MB of filtering won't save you in a 100MB DoS which is
> not all that uncommon.
>
> I'd like to learn some of the other methods being used for mitigation
> amongst vendors.
>
> -- steve
>
> -----Original Message-----
> From: Mikael Olsson [mailto:mikael.olsson@clavister.com]
> Sent: Wednesday, October 16, 2002 7:44 AM
> To: Stephen Gill
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363
>
>
> Stephen Gill wrote:
> >
> > Thought I'd pass this along.
> >
> > http://www.kb.cert.org/vuls/id/539363
>
> Although this is something that people need to keep in mind when
> picking / designing a firewall, I'd argue that anything north of
> a stateless packet filter is going to be vulnerable to these sort
> of attacks.
>
> If you keep state, you will be vulnerable to state table overflows.
> Period. The only real question is: how much work does the attacker
> need to put in before it becomes painful for the networks that the
> firewall is protecting? Is being able to resist a 1 Mbps stream
> (~4500 pps) "Not vulnerable"? Is being able resist a 34 Mbps stream
> (~150 kpps) "Not vulnerable"? Or should every single firewall
> vendor report in and say "Vulnerable", and describe what the limit is?
>
>
> And, yes, ALG-only firewalls can also be overloaded. It's just a
> different type of 'state'.
>
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!

Relevant Pages

  • Re: 2000 server solution
    ... Maybe you should start by looking up the RFC that defines firewall. ... is more than a buzzword and includes much more than simple packet header ... programmer the company hires publishes to that server. ... what does a packet filter in front of those two servers add to the ...
    (comp.security.firewalls)
  • Re: Hits just keep on coming! What does it mean?
    ... but you're not telling how you have configured your firewall - what ... Your machine sending some NetBIOS packet as a network ... and filter the rest - and filter very ... As for logging, I don't see much value in logging any of the packets ...
    (comp.os.linux.security)
  • Re: NAT vs. True Firewalls
    ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ...
    (comp.security.firewalls)
  • Re: NAT vs. True Firewalls
    ... > not just mean packet filter. ... A firewall can be made up of one or more ... > components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Question on Cisco ASAs... do all the features slow it down?
    ... i don't understand really what you mean by the packet sizes and first ... i am more a firewall apprentice than firewall wizard. ... Nagios and Cacti) when we push around 10 Megabits/second. ... Sadly I don't know of any vendors that publish this data openly. ...
    (Firewall-Wizards)