On 10/12/07, Nelson Brito <[EMAIL PROTECTED]> wrote: > No, it does not mean the IPS and/or Firewall is vulnerable... It means that > the IPS and/or Firewall was designed to handle this amount.
Exactly. All choke points have their limit. If you have a 100 megabit uplink to the Internet and a distributed attacker is able to source 110mbps of spoofed DoS traffic, that doesn't mean your firewall is "vulnerable" to a pure noise DoS flood. > In fact, before you blame the IPS and/or Firewall you should > consult the specifications to be sure you are reaching the device's limit. But a well-designed Firewall shouldn't fall over under a sustained DoS, should have a well-implemented state engine, synproxy, and RED, such that under most types of DoS traffic, legitimate sessions still have a chance to get through. On 10/12/07, H D Moore <[EMAIL PROTECTED]> wrote: > If you can fill the state table using just SYN packets (without doing a >full session setup), then the device in question is just crap :-) No argument here. Kevin ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
