On Wed, 10 Apr 2002, Mikael Olsson wrote: > (unless specifically asked to do so, of course)
You're not getting off that easy! > If you're refering to simply filling up the available reassembly > slots, that will DoS fragment reassembly on a proxy equally well. It depends on how much checking is done- there was a point in time where at least one major PF wouldn't check sequence numbers before reassembling or rejecting TCP frags! > An SPF on the other hand, given that it can make the assumption that > it can eat more kernel RAM in its in-kernel hooks (or doesn't even > have a thing called "kernel RAM". hehe :)), and that it knows that > it has to protect thousands of internal hosts, would potentially be > better at this than a general-purpose IP stack designed for local > reassembly only. Everyone's stack that I could think of using for an ALG is tunable to the same sort of extent and with all the appropriate performance tweaks already in place. Before SYN floods were an attack, high-volume Web sites experienced the same problem in daily use, and got stack writers at OS vendors to crank out the appropriate code- so eating of kernel RAM is equally appropriate. Right after we got them all fixing SYN floods, we asked for frag handling to work the same way. (It sucks when your Web server won't take anymore connections, then you figure out that the OS keeps socket state in a linear table, and it's taking longer to walk the table and find the next open slot than the timeout value on a socket- fixing the stack isn't something that generally happens correctly on the first patch.) > > On Wed, 10 Apr 2002, Mikael Olsson wrote: > > > And here's one more for proxies: most (all?) proxy firewalls ride > > > on top of full-fledged OSes, and when the proxy dies, it tends > > > to leave to OS somewhat unshielded :) > > > > Unshielded how? If the proxy code is all that's bound to sockets, > > the exposure window isn't all that horrific is it? > > Just a point of interest: > Isn't it fairly common for (commercial) proxy firewalls to apply > packet filtering on traffic to the firewall itself? Now it's very common. But even without that, it's difficult to see a scenerio where a proxy-based firewall that's set up correctly has any different exposure than a packet filter (except for those filters that use the kernel's IP forwarding mechanisms, but that'd be coming up with point arguments.) > Now, you either need to stop dropping points that we (I? ;)) haven't > finished arguing, or tell me where to pick up my cigar :) Feh! By my count, I'm at least 4 points ahead! Yes, we're using a properly weighted scoring mechanism, the rules are I win. ;) I've only dropped the ones that will spiral into their own multi-megabyte threads (Firewall as an IDS indeed!) Fortunately for you, I don't smoke, so you'll just be forwarding beers ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
