On Fri, 30 Jul 1999, Jeff Roberson wrote:
> It seems to me that if they maintain TCP state they could set a
> significantly smaller timeout if the connection is not established. So a
> timeout of a minute should be set on the initial syn request, and the
> larger timeout should only be used after the connection is established.
Actually, this is how it DOES work. When you get a chance, check out my
website, where I go into detail on how it works. Where it breaks down is
its handling of ACK packets. If I intiate a connection with an ACK packet,
then the connection is automatically added to the connections table for
3600 seconds, regardless if the remote system responds or not. You now
have a dead connection filling your connections table for an hour. Send
alot of these packets, and you quickly fill your connections table. An
example is "nmap -sP -PT80 10.0.0.0/8" launched by an internal system
would quickly fill most connections tables.
> Also, if they implemented a circular buffer where connections that had
> been idle the longest were disconnected in favor of new connections their
> scalability might increase some.
Excellent recommendation, I'll pass it along to Check Point!
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc
