[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FW1 vs. high-volume DNS traffic (or any UDP traffic for that matter)
On Mon, 29 Jan 2001, Olof Olsson wrote: [problems with high-volume DNS traffic through FW-1] > 1) With a 50K connection table size, one can only handle less than 400 > DNS queries/s > 2) With a 100K connection table size, one can handle around 1000 DNS > queries/s > 3) It could be very "bad" to have the UDP timeout set to a "high value". > > and most importantly: > > 4) It would seem that FW-1 could have serious problems handling > high-volume DNS/UDP sites. > 5) It would also seem that an "easy" denial of service attack against > FW-1 would be to spray it with largish number of DNS queries. (Or any > other UDP traffic that is allowed by the ruleset.) However, I have not > tried this. I think so too. > The only workarounds that I can see, are: > > 1) Avoid using FW-1 in high-volume UDP applications. For example, put > hardened router ACL protected DNS boxes outside of the firewalls. ACK > 2) Increase the connection table size to something large, say 100K - > 300K. (Assuming FW-1 can handle these connection table sizes. 100K seems > OK, haven't tested anything larger.) > > 3) Decrease the UDP timeout. However, I believe that 40s is the minimum. > Also, due to the exponential backoff used by DNS, it is probably a very > bad idea to use anything smaller anyway. > 4) Drop Checkpoint and use another firewall that can support very large > connection table sizes. What can you recommend? > I would be _extremely_ interested in hearing about other peoples' > experiences in relation to FW-1 UDP performance in general and DNS > performance in particular. I know the problem with UDP and FW-1. I prefer your workaround 1. Regards, Micha Borrmann ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|