On 10/12/07, H D Moore <[EMAIL PROTECTED]> wrote: > This is called marketing :-) If you want to support DoS attacks consisting > of more 10,000 sessions, you must upgrade to a more expensive box. Even > the very high-end IPS products start hitting session limits after 1-2 > million concurrent sessions[1].
i understand :-). is it not too expensive for small and medium businesses? > > Session limits are common across a wide range of routers, firewalls, and > inline security devices. Most devices based on BSD/ipf have a hard limit > in terms of number of sessions. IIRC, the Linux iptables code will dump > old sessions in favor of new (when using NAT), so there is no stoppage, > but connections can get dropped. > > These devices tend to be easy to DoS, but in most cases,a single service > behind the device stops accepting connections before the device's own > state table is filled. > > If you can fill the state table using just SYN packets (without doing a > full session setup), then the device in question is just crap :-) i could not exhaust state tables with TCP. I sent UDP:500 traffic with different source ports to fill up the state table. It makes me wonder whether may stateful devices are vulnerable to these kinds of attacks. > > -HD > > 1. <spam>My company's product (the BPS-1000) tests up to 5,000,000 > concurrent application sessions at once. In the lab, we see very few > products that can handle more than 500,000. Our new 10G product > (BPS-10000) can push 7,500,000 concurrent sessions.</spam> > > On Thursday 11 October 2007, Ravi Chunduru wrote: > > can i say that these devices are vulnerable to simple DoS attacks? > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
