RE: Firewall-1 and ISA D.o.S.

From: Dom De Vitto (
Date: 02/19/02

From: "Dom De Vitto" <>
To: <>, <>
Date: Mon, 18 Feb 2002 23:27:17 -0000

 |Hi Dom,
 |I know that you can increase the connections
 |managed by the kernel of FW-1, I will increase it to
 |50.000 ( some time ago CheckPoint said to me that it
 |was the limit... ), but I think the problem is not on that
 |feature. When I send packets , I send always the
 |same packet ( same source port, same dest port,
 |same source address, same dest address , same
 |sequence number, ... ) so , do you think FW-1 tracks
 |every packet received as a new connection, or it only
 |refresh it state table as there was only one
 |connection ?
Wow, then that's a bug, as "duplicates" should be dropped.

 |Moreover, ippacket generates packets at a very high
 |rate, and I do not believe FW-1 ( and many other
 |firewalls ) is able to manage this flood of SYN
Yep, some firewalls don't even do wire speed, and many can't
cope when it's all small packets.

 |"RTFM" ---> Yes, I read it loooong time ago, ... have
 |you at least tried to apply the D.o.S. that I describe ?

No need, on a Pix I've seen it hang because of a single Nimda'd
box! When you limit the connection table size, down to a single
host, then resource exhaustion just freezes comms for that host
for a little while. I don't think you can do it for a CPK box,
which is a design feature (fully-shared vs. allocated table space)
- somewhere in between would be nice.

Sorry for the comment, it's was a long day, and your points
seemed (fairly) obvious. Of course, if duplicate packets are
causing a problem, then that's a big bug.


Relevant Pages

  • Re: Firewall-1 and ISA D.o.S.
    ... managed by the kernel of FW-1, ... same packet (same source port, same dest port, ... every packet received as a new connection, ... ippacket generates packets at a very high ...
  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
  • Re: IP over RS232 serial port under QNX6 (
    ... Now i can 'ping' and receive correct answers from the remote host. ... Now i want to setup the TCP/IP stack on top of the serial port. ... When i 'ping' to the destination endpoint from the source ... These packets were correct ARP-Broadcasts ...
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
  • Re: Ip spoof from
    ... - A passive spoofed portscan with the attacker on the local ... segment watching the response packets go out to the default ... If a host responds to the syn packet sourced from with an ack, ... it goes to the router either with the destination IP address rewritten ...