Guess I was not being clear. I was not being specific to VPN ports 500 or 1701 or associated ports. I was just trying to point out why you were able to fill up the state table with just UDP packets with different source ports but having the same SIP-DIP:DP.
If the VPN server would handle only N clients at a time, then the IPS really shouldn't be seeing more than 'N' UDP sessions. If the server won't process it, then the IPS shouldn't be doing it either. How is another matter! ;-) Rahul On 10/16/07, Ravi Chunduru <[EMAIL PROTECTED]> wrote: > Rahul, > > Is it not common to have IPsec VPN Server in typical network deployments? > > Regards > Ravi > > On 10/15/07, Rahul K <[EMAIL PROTECTED]> wrote: > > On 10/13/07, Ravi Chunduru <[EMAIL PROTECTED]> wrote: > > > On 10/12/07, H D Moore <[EMAIL PROTECTED]> wrote: > > > > If you can fill the state table using just SYN packets (without doing a > > > > full session setup), then the device in question is just crap :-) > > > > > > i could not exhaust state tables with TCP. I sent UDP:500 traffic > > > with different source ports to fill up the state table. It makes me > > > wonder whether may stateful devices are vulnerable to these kinds of > > > attacks. > > > > UDP may be stateless, but the moment an IPS receives an UDP packet > > with some content it would have to initialize and maintain a session > > for that packet because the signature matching and other checks have > > to kick in. So it is not surprising that you could fill up the state > > table with UDP:500 traffic. It is easier to spoof UDP packets than > > complete the 3-way TCP handshake, so you may have been able to fill up > > the table faster too. > > > > However in your deployment scenario, would you really be allowing > > incoming UDP traffic or would your firewall be dropping them before it > > is seen by the IPS? > > > > Rahul > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
