RE: Sessions Resource Exhaustion

Please read the definition of DoS Attacks.

I believe any firewall will be a victim if we setup a test launching
the attack in LAB and let the resources tanked.

IPS can take care of many of these but an attacker can still modify
the packet size and exhaust memory due to large packet size.

Hence when buying these solutions one need to understand the network
architect of their network, available bandwidth and number of session vs.
resources calculations to size their firewall and IPS solution. This would
create enough cushions for an administrator to react and remedy an attack.

Regards
Ahsan Khan
ahsank@xxxxxxxxx




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Nelson Brito
Sent: Friday, October 12, 2007 12:51 PM
To: 'Ravi Chunduru'; focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: Sessions Resource Exhaustion

No, it does not mean the IPS and/or Firewall is vulnerable... It means that
the IPS and/or Firewall was designed to handle this amount. In fact, before
you blame the IPS and/or Firewall you should consult the specifications to
be sure you are reaching the device's limit.

If the limit differs of the specification then you have a design flaw, and
you can say that it is vulnerable, otherwise it means that the IPS and/or
Firewall is designed to work in small business, and if you need, want or
desire to handle more connections / sessions you, or even the IPS and/or
Firewall designer (usually the vendor or the partner), should do the home
work...

Just to add more in this topic, I want to point that sessions limitations is
difficult to understand and address if you don't know what exactly is the
environment you are try to protect. In some cases you have extraordinary
complex environments that you have to study deeply to do your device sizing.

Best regards.

Nelson Brito
nbrito@xxxxxxxxxx
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ravi Chunduru
Sent: Thursday, October 11, 2007 1:14 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Sessions Resource Exhaustion

using simple tools such as hping2 and others, i am able to exhaust
session resources in some firewall and IPS devices. some firewalls and
IPS devices addressing small business market segments seems to be
supporting maximum of 10000 sessions. these devices are not allowing
any new connections if all 10000 sessions are used up.

can i say that these devices are vulnerable to simple DoS attacks?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=
intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: Sessions Resource Exhaustion
    ... it does not mean the IPS and/or Firewall is vulnerable... ... If the limit differs of the specification then you have a design flaw, ... Just to add more in this topic, I want to point that sessions limitations is ...
    (Focus-IDS)
  • Firewall service unavailable !!
    ... i checked the monitoring and found the Firewall ... i checked the "sessions monitoring" ... session" those IPs, when i go back to the Services, the ...
    (microsoft.public.isa)
  • Re: Possible attack?
    ... If a cracker attacks too many denyhosts protected sites, ... When practical, it is better to specify allowed IPs at the firewall, rather than at the application. ...
    (comp.os.linux.networking)
  • RE: Firewall service unavailable !!
    ... the LAT already has the local IP range only, and the packet filter is already enabled. ... for those two IPs, i blocked them and blocked the range of it using IP Packet Filter with these settings: "please correct me if i'm mistaking" ... i checked the monitoring and found the Firewall ... > sessions went back to 2. ...
    (microsoft.public.isa)
  • RE: location of an IPS
    ... What good can an IPS make in a DOS attack in front of your firewall??? ... If your IPS can provide DDoS protection in addition to the Malicious Content ... the activity log did not contain any record of the "attacks". ...
    (Focus-IDS)
Loading