Re: Sessions Resource Exhaustion

From: jean-philippe luiggi <luiggi@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 13 Oct 2007 09:27:34 -0400

Hello,

On Thu, 11 Oct 2007 09:14:02 -0700
"Ravi Chunduru" <ravi.is.chunduru@xxxxxxxxx> wrote:

using simple tools such as hping2 and others, i am able to exhaust
session resources in some firewall and IPS devices. some firewalls and
IPS devices addressing small business market segments seems to be
supporting maximum of 10000 sessions. these devices are not allowing
any new connections if all 10000 sessions are used up.

can i say that these devices are vulnerable to simple DoS attacks?

In fact, you've to take in consideration a simple thing,
a security device (and a specific model) is build for a specific job,
this is why there're so differents models inside a same company.
To exceed the limits of designs is not a proof that a device is not
good for it (aka vulnerable), just that it is not ready for that.

Best regards,

Jean-philippe.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

References:
- Sessions Resource Exhaustion
  - From: Ravi Chunduru

Prev by Date: Re: Sessions Resource Exhaustion
Next by Date: RE: IDS detection approaches
Previous by thread: Re: Sessions Resource Exhaustion
Next by thread: RE: Sessions Resource Exhaustion
Index(es):
- Date
- Thread

Relevant Pages

Re: Sessions Resource Exhaustion
... session resources in some firewall and IPS devices. ... IPS devices addressing small business market segments seems to be ... any new connections if all 10000 sessions are used up. ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)
Sessions Resource Exhaustion
... session resources in some firewall and IPS devices. ... IPS devices addressing small business market segments seems to be ... any new connections if all 10000 sessions are used up. ... can i say that these devices are vulnerable to simple DoS attacks? ...
(Focus-IDS)
Re: red hat firewall question
... This is part of the problem with 'sekuritee people' that don't actually understand the protocols. ... It is completely normal for a TCP session to be idle, and it is also completely normal for it to wake up hours later and send data, this is simply how stuff works in the IP world, and what it appears is happening is that your ssh sessions are idle for a few minutes and due to some sekuritee 'professional' deciding that this could NEVER happen, your user sessions are being disconnected. ... Changing these values on a firewall can have some VERY undesirable and difficult to fault-find consequences. ... The primary purpose of keep alives is to enable the host to not exhaust its resources by having 65500 dead yet open telnet/ssh/tcp sessions and being able to close these after a defined period., the firewall not working in sync with the host just compounds this problem, and depending on the number of users/types of processes, can actually cause the problem that keep alives are supposed to prevent. ...
(RedHat)
RE: red hat firewall question
... Subject: red hat firewall question ... This is part of the problem with 'sekuritee people' that don't ... happening is that your ssh sessions are idle ... The primary purpose of keep alives is to enable the host to not ...
(RedHat)
Re: IP Lease
... Not much to go on here, but this looks more like a keepalive setting somewhere, or some sort of a terminal or session timeout with a firewall or with your OpenVMS cluster. ... Sessions do not typically have IP addresses. ... You will also want to look at trying something other than Windows itsef, as Windows has been known to blow off idle connections all by itself. ...
(comp.os.vms)