There is also a DoS exploit for Firewall-1 that has been recently brought
to my attention (pardon me if it has been out for a while). The sending of
packets with the ACK flag set, but without a preceding SYN.
SYN's are usually now given a relatively low time-out to defend against
SYN flooding, until the ACK is sent and the SYN/ACK is received. Then the
ACK packets get a larger (3600?) timeout.
The "ACK attack" has the same effect as SYN floods, but use ACKs instead.
What we do to watch for this, is we set up rules that drop/deny/ignore any
ACK packets from a session that has not sent a preceding SYN packet.
Joel Gridley
Site Patrol/Firewall Specialist "Be the packet"
GTE Internetworking
Burlington, MA
On Wed, 4 Aug 1999, Dave Wreski wrote:
>
> On 03-Aug-99 Bill Stackpole wrote:
> > There are two approaches to dealing with SYN floods. Support so many tcp
> > connections that no one can send you enough open
> > request to use them all. The other is to adaptively reduce the time-out for
> > SYN requests based on the number of available connections that remain. In
> > other words, I have 20 connections available and a 30 second timeout. When
> > I have only 8 conections available the timeout is reduced to 10. Only 3,
> > reduced to 5, etc.
>
> What about half-open SYNs? Our IDS is picking these up as a normal course of
> daily activity, and I wondered if that is something that should filtered out.
> What exactly is a half-open SYN, what causes it, and can it safely be filtered
> out when originating from internal machines?
>
> Thanks,
> Dave
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
