Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Protection from DoS attacks

To: <[email protected]>, <[email protected]>
Subject: RE: [FW1] Protection from DoS attacks
From: "Mark Decker" <[email protected]>
Date: Wed, 6 Dec 2000 14:03:42 -0800
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: <[email protected]>
Sender: [email protected]

Tomas,

I'm not an expert on DoS, but maybe this will help...

DoS attacks are notoriously difficult to protect against, and affect
Solaris machines, too.  It's pretty easy to crash a FW-1 box with a
massive traffic onslaught.

I put DoS attacks into two categories:
	- CPU attacks (e.g. ping flood)
	- Memory attacks (e.g. SYN flood)

A CPU attack is a brute-force attempt to completely overwhelm the packet
processing ability of the box to the point where it maxes out the CPU
and starves user-space processes to death (e.g., the FW-1 daemon),
causing them to destabilize and ultimately crash.  The latest version of
RainWall (HA/LB software for FW-1) has a little-known feature called CPU
Overload Protection, which can help, especially in the case of a ping
flood.  It monitors CPU health and adds a "safety valve" to make sure
the CPU is never completely maxed out.  In other words, once you exceed
a user-definable threshold, it will start dropping lower-priority
packets (like pings) before they overwhelm the CPU.  That way the
user-space processes don't crash and you can still administer the box
even when it is being hammered by massive amounts of traffic.  RainWall
info at: http://www.rainfinity.com

A memory attack is more clever, and doesn't take as much raw traffic
generation power to execute.  In this case, the goal is to force the
machine to allocate memory for things that don't really exist.  The
classic example is a SYN flood, where the bad-actor inititates lots of
new TCP connections with no intention of completing them.  Even though
the CPU still has plenty of horsepower to process packets, all available
connection slots are filled with bogus connections and no-one new can
get in.  FW-1 might not crash, but you are hosed just the same until all
the connections time out.  Check Point's SYNDefender can help with this.
Read more at:
http://www.checkpoint.com/products/firewall-1/syndefender.html

HTH,

Mark L. Decker
Rainfinity
[email protected]
www.rainfinity.com> -----Original Message-----
> From: Tomas Norum
>
> I have tested my FW1(on windows 2000 - all default services
> enabled) against several types of DoS attacks, including ping
> flood. My rulebase allowed any service out towards the
> internet, but nothing in. In our 100Mbps network we
> set up 4 computers running several windows with krate. The 4
> computers nukes the Firewall on port 80, the most common port
> in use on such systems. After about 3 minutes with massive
> attacks the FW module crashed and rebooted.
>
> Does anyone know how to protect my system against such
> attacks? Is this possible on a NT based computer?
> Is this a problem on Solaris boxes as well?
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Protection from DoS attacks
  - From: "Tomas Norum" <[email protected]>

Prev by Date: RE: [FW1] Anti-Spoofing Configuration
Next by Date: Re: [FW1] How do I shut down access to a site
Previous by thread: [FW1] Protection from DoS attacks
Next by thread: [FW1] log_write: failed to flush: File too large
Index(es):
- Date
- Thread