I ran into a similar problem. The connections table has a configurable
limit, but the xlation table doesn't (FW-1 3.x). Someone in Rumania (I
*think* it was) evidently was unhappy with his ISP, so he sent out a
virus which would cause the infected machine to spawn a zillion
half-open connections to the ISP. For a FW-1 system running NAT, it
would cause a DOS when the xlate table filled. It has a hard limit of
25000.
Like many others here, I wrote a perl script to dump the xlation table,
count the slots for a given machine and sorted it, allowing me to find
the culprit. According to Symantec, it is a relatively uncommon virus.
"Spitzner, Lance" wrote:
> I would greatly appreciate if you could pass this along.
> It does a much better job of explaing what the exact
> problem/DOS is with FW-1.
> .
.
.
.
> I would greatly appreciate if anyone could prove/disprove
> this. Also, FW-1's SynDefender did not protect against this
> attack.
>
> Lance
> http://www.enteract.com/~lspitz
--
"Intrinsically lazy, therefore creative"
PGP Fingerprint: 22 68 D5 18 7F 3D D2 28 38 97 90 97 17 55 61 59
