RE: Firewall-1 and ISA D.o.S.
From: Jim Harrison (SPG) (jmharr@microsoft.com)Date: 02/18/02
- Previous message: david evlis reign: "eeye.com insecurities"
- Maybe in reply to: overclocking_a_la_abuela@hotmail.com: "Firewall-1 and ISA D.o.S."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Feb 2002 08:53:50 -0800 From: "Jim Harrison (SPG)" <jmharr@microsoft.com> To: <overclocking_a_la_abuela@hotmail.com>, <vuln-dev@securityfocus.com>
Interesting DoS (similar in concept to the UDP flood that thor@hammerofgod.com reported a few months ago), but how would you have the developers deal with it?
Every packet that is seen by any firewall takes some CPU time to examine and decide what to do with it.
Granted, under normal circumstances, this processing overhead is "assumed" and the performance specs for the device take that into account.
<rant>
Under situations where there is some jerk in the LAN that has decided to dump his job and leaves such a bomb lying in wait (really stupid to do it while he's still there), it's easily blocked at the network level so that the firewall doesn't have to deal with it. Tracking down this sort of game is comparatively simple and I'd personally take great pleasure in defenestrating that particular jackass.
</rant>
* Jim Harrison
MCP(NT4, 2K), A+, Network+
Services Platform Group
Never be afraid to try something new. Remember that amateurs built the Ark. Professionals built the Titanic.
-----Original Message-----
From: overclocking_a_la_abuela@hotmail.com [mailto:overclocking_a_la_abuela@hotmail.com]
Sent: Monday, February 18, 2002 04:43
To: vuln-dev@securityfocus.com
Subject: Re: Firewall-1 and ISA D.o.S.
In-Reply-To: <3.0.5.32.20020218085949.012f4100@192.228.128.13>
When you stop the attack, the firewall recovers, but
think that in the case of ISA D.o.S. I´m sending
spoofed packets so it will be more difficult to find the
attacker ( if you have not IDS or similar ).
Suppose the length of the D.o.S. is 1 hour... nobody
can surf the web, you can not access the ISA...,
probably no VPN,...
Think about it.
Hugo Vázquez Caramés
Security Consultant
>Received: (qmail 19118 invoked from network); 18
Feb 2002 06:09:16 -0000
>Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 18 Feb
2002 06:09:16 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix)
with QMQP
> id 1EBEAA44EF; Sun, 17 Feb 2002
21:25:10 -0700 (MST)
>Mailing-List: contact vuln-dev-
help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <vuln-dev.list-id.securityfocus.com>
>List-Post: <mailto:vuln-dev@securityfocus.com>
>List-Help: <mailto:vuln-dev-
>List-Unsubscribe: <mailto:vuln-dev-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:vuln-dev-
>Delivered-To: mailing list vuln-
>Delivered-To: moderator for vuln-
>Received: (qmail 24253 invoked from network); 18
Feb 2002 00:53:21 -0000
>Message-Id: <3.0.5.32.20020218085949.012f410
- Previous message: david evlis reign: "eeye.com insecurities"
- Maybe in reply to: overclocking_a_la_abuela@hotmail.com: "Firewall-1 and ISA D.o.S."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
