[unisog] High speed firewalls - Connections per second not bi ts per second

Russell Fulton r.fulton at auckland.ac.nz
Tue Feb 22 21:10:28 GMT 2005


On Tue, 2005-02-22 at 12:54 -0800, Gary MacIsaac wrote:

> > Allows a 1000 maximum connections from a given source at a rate of 1000
> > per
> > 5 seconds (max-src-conn 1000, max-src-conn-rate 1000/5), passes hosts
> > which
> > exceed these bounds into the <bad> table and flushes all connections
> > originating from that host (overload <bad> flush global), and retains
> > source
> > tracking entries for 5 seconds after the last state expires (src.track 5).
> >
> > Combine this with adaptive state table entries and you'll ensure that you
> > don't run out of states.
> >
> >> Chris
> 
> Hi,
> 
> Does this mean that if a particular source on a subnet just cycles through
> spoofing source addresses within that subnet at high rates, it would be
> able to force all the IP addresses on that subnet into the <bad> table for
> an extended period?

No because synproxy requires the completion of the handshake. 

Anyway I don't see internal DOS to be a big issue since is is easy
enough to track down who is doing it and you can then hang them by
whatever appendage takes your fancy.  

Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050223/1f56c1b2/smime.bin


More information about the unisog mailing list