NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] SYNDefender Questions...



1>Things to concider on timeouts, some out of the way places, Africa, Middle
east, etc, may need additional time for packet travel than 10 seconds. My
experience says that if many of your customers are international, you may
want to watch your logs for lots of drops coming from other countries,
because they may actually be normal requests. Essentially you should not
allway's be getting attacks :)

2> I believe that this is the maximum sessions that are in a three step tcp
sequence process, not simultaneous sessions, because this employs the use of
an additional state table specifically for syns.

3>If on unix, redirect to syslog on you're management console.

4>I'd say that syn defender is quite effecient, I would not imagine it using
much more processing power. Probably 1 or 2% change in utilization, the
essential thing here would be memory, since the state tables do use more
memory.

5>Yes, the firewall sends a finalizing ACK before the client's packet is
recieved. I'm not sure I would like this method although as it does place a
heavier load on the Firewall. Also, in version 4.0 I remeber a bug with
using Active mode with NAT. Check the Check Point knowledge base.


-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-
Larry Pingree
Sr. Security Consultant
Email: [email protected]
Company: SiegeWorks
WebSite: http://www.siegeworks.com/
Security Installation, Training and Consulting
-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-
----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Monday, February 12, 2001 1:55 PM
Subject: [FW1] SYNDefender Questions...


>
> Hey Ya'll,
> I'm thinking about turning on SYNDefender on our firewall to quell
> some recent trouble we've had with SYN flood DoS attacks against our
> network, and I have a few questions some of you guys may be able to shed
> some light on.
>
> 1) What is a reasonable timeout period?  10 seconds (the default) seems
> pretty good.  Generally you could consider anything that doesn't complete
> the three-way TCP handshake in that time period to be unusable anyways, or
a
> SYN flood from a spoofed address.
>
> 2) Does SYNDefender continue to monitor connections after the three-way
TCP
> handshake has completed as opposed to moving them out of a special area of
> memory (what would normally be the backlog queue on the target server)?
The
> reason I ask this is that I'm trying to set the 'maximum sessions' value
to
> an appropriate number.  Should I set it too the number of TCP sessions
that
> we normally have open at any given time (just under 50,000) or should I
set
> it too the value of TCP sessions that are in the thee-way handshaking
> process (in a target hosts backlog queue) at any given time?  Is there any
> way to log when SYNDefender reaches the limit you set in the 'maximum
> session' setting?
>
> 3) The documentation says that all SYNDefender warning messages are output
> to the console.  Is there any way to log these to an error log?
>
> 4) How much extra load can I expect SYNDefender to put on the firewall?
I'm
> not too worried about processing power (or should I be?), but more worried
> about the amount of memory it may consume.
>
> 5) When SYNDefender is running in it's non-passive mode, and it actually
> replies back to a SYN-ACK coming from an internal machine with an ACK,
does
> it spoof the IP address of the external machine which originally made the
> request?  I don't see how it would work if it didn't, but I thought I'd
ask.
> Does the same go for the RST if the external host doesn't ACK back?
>
> Thanks in advance for any answers you all can provide.
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice> E-mail  [email protected]
> Web     http://www.kde.state.ky.us/
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.