[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Protection from DoS attacks
Tomas, I'm not an expert on DoS, but maybe this will help... DoS attacks are notoriously difficult to protect against, and affect Solaris machines, too. It's pretty easy to crash a FW-1 box with a massive traffic onslaught. I put DoS attacks into two categories: - CPU attacks (e.g. ping flood) - Memory attacks (e.g. SYN flood) A CPU attack is a brute-force attempt to completely overwhelm the packet processing ability of the box to the point where it maxes out the CPU and starves user-space processes to death (e.g., the FW-1 daemon), causing them to destabilize and ultimately crash. The latest version of RainWall (HA/LB software for FW-1) has a little-known feature called CPU Overload Protection, which can help, especially in the case of a ping flood. It monitors CPU health and adds a "safety valve" to make sure the CPU is never completely maxed out. In other words, once you exceed a user-definable threshold, it will start dropping lower-priority packets (like pings) before they overwhelm the CPU. That way the user-space processes don't crash and you can still administer the box even when it is being hammered by massive amounts of traffic. RainWall info at: http://www.rainfinity.com A memory attack is more clever, and doesn't take as much raw traffic generation power to execute. In this case, the goal is to force the machine to allocate memory for things that don't really exist. The classic example is a SYN flood, where the bad-actor inititates lots of new TCP connections with no intention of completing them. Even though the CPU still has plenty of horsepower to process packets, all available connection slots are filled with bogus connections and no-one new can get in. FW-1 might not crash, but you are hosed just the same until all the connections time out. Check Point's SYNDefender can help with this. Read more at: http://www.checkpoint.com/products/firewall-1/syndefender.html HTH, Mark L. Decker Rainfinity [email protected] www.rainfinity.com> -----Original Message----- > From: Tomas Norum > > I have tested my FW1(on windows 2000 - all default services > enabled) against several types of DoS attacks, including ping > flood. My rulebase allowed any service out towards the > internet, but nothing in. In our 100Mbps network we > set up 4 computers running several windows with krate. The 4 > computers nukes the Firewall on port 80, the most common port > in use on such systems. After about 3 minutes with massive > attacks the FW module crashed and rebooted. > > Does anyone know how to protect my system against such > attacks? Is this possible on a NT based computer? > Is this a problem on Solaris boxes as well? > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|