About all SYNDefender can do is mitigate a SYN flood. It can not stop one.
It is highly recommended you also take appropriate steps to secure all
externally accessable hosts against a SYN attack.
-- PhoneBoy
> -----Original Message-----
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 25, 2000 2:29 AM
> To: Fw-1-Mailinglist
> Subject: [FW1] SYN Flood Attack
>
> Hi,
>
> Yesterday the servers in our lab, protected by a freshly squeezed
FireWall-1 2000, got visited by an -invited- hacker. His job was to do his
usual hacking stuff, the works, on our servers, to test our security
enforcement. He did what I expected him to do. He started with portscanners,
and soon he found our webserver. It's the only server we have which anyone
on the net can access. He then started with SYN flood attacks. At first, the
SYNDefender troubled his attempts, but eventually he brought the web server
to its knees.
>
> Tighten the SYNDefender timeout, you say? Problem is: the setting was
chosen based on tests, in which the SYNDefender at first dropped 50% of our
own http network connections. We chose a setting with which 'only' 5% of our
connections got dropped, but apparantly, SYN flood attacks are again made
possible. To my estimate, approximately 20 to 25% of the thousands of
http-connections in the attack got disconnected by the SYNDefender. The rest
was enough to kill the IIS.
>
> Has anyone experience with this?
> Kurt Haegeman - Network Security Engineer, CCSA
> Dolmen Computer Applications
> <http://www.dolmen.be>
> << File: Kurt Haegeman.vcf >>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
