RE: Sessions Resource Exhaustion

No, it does not mean the IPS and/or Firewall is vulnerable... It means that
the IPS and/or Firewall was designed to handle this amount. In fact, before
you blame the IPS and/or Firewall you should consult the specifications to
be sure you are reaching the device's limit.

If the limit differs of the specification then you have a design flaw, and
you can say that it is vulnerable, otherwise it means that the IPS and/or
Firewall is designed to work in small business, and if you need, want or
desire to handle more connections / sessions you, or even the IPS and/or
Firewall designer (usually the vendor or the partner), should do the home
work...

Just to add more in this topic, I want to point that sessions limitations is
difficult to understand and address if you don't know what exactly is the
environment you are try to protect. In some cases you have extraordinary
complex environments that you have to study deeply to do your device sizing.

Best regards.

Nelson Brito
nbrito@xxxxxxxxxx
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ravi Chunduru
Sent: Thursday, October 11, 2007 1:14 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Sessions Resource Exhaustion

using simple tools such as hping2 and others, i am able to exhaust
session resources in some firewall and IPS devices. some firewalls and
IPS devices addressing small business market segments seems to be
supporting maximum of 10000 sessions. these devices are not allowing
any new connections if all 10000 sessions are used up.

can i say that these devices are vulnerable to simple DoS attacks?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=
intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Firewall service unavailable !!
    ... i checked the monitoring and found the Firewall ... i checked the "sessions monitoring" ... session" those IPs, when i go back to the Services, the ...
    (microsoft.public.isa)
  • RE: Sessions Resource Exhaustion
    ... Please read the definition of DoS Attacks. ... I believe any firewall will be a victim if we setup a test launching ... IPS can take care of many of these but an attacker can still modify ... Subject: Sessions Resource Exhaustion ...
    (Focus-IDS)
  • RE: Firewall service unavailable !!
    ... the LAT already has the local IP range only, and the packet filter is already enabled. ... for those two IPs, i blocked them and blocked the range of it using IP Packet Filter with these settings: "please correct me if i'm mistaking" ... i checked the monitoring and found the Firewall ... > sessions went back to 2. ...
    (microsoft.public.isa)
  • Re: Analysing and configuring IPS/IDS Policies
    ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
    (Focus-IDS)
  • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
    ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
    (Firewall-Wizards)
Loading