Hi,
Yesterday the servers in our lab, protected by a freshly squeezed FireWall-1
2000, got visited by an -invited- hacker. His job was to do his usual
hacking stuff, the works, on our servers, to test our security enforcement.
He did what I expected him to do. He started with portscanners, and soon he
found our webserver. It's the only server we have which anyone on the net
can access. He then started with SYN flood attacks. At first, the
SYNDefender troubled his attempts, but eventually he brought the web server
to its knees.
Tighten the SYNDefender timeout, you say? Problem is: the setting was chosen
based on tests, in which the SYNDefender at first dropped 50% of our own
http network connections. We chose a setting with which 'only' 5% of our
connections got dropped, but apparantly, SYN flood attacks are again made
possible. To my estimate, approximately 20 to 25% of the thousands of
http-connections in the attack got disconnected by the SYNDefender. The rest
was enough to kill the IIS.
Has anyone experience with this?
Kurt Haegeman - Network Security Engineer, CCSA
Dolmen Computer Applications
<http://www.dolmen.be>
winmail.dat
