But I AM running SYN Gateway, not Passive SYN Gateway. And SYN flood attacks
are still successfull.
--------------------------------------------------------------------------
Kurt Haegeman, Network Security Engineer, CCSA
Dolmen Computer Applications
<www.dolmen.be>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Michael Hernandez
> Sent: maandag 5 juni 2000 22:07
> To: 'fw-1 listserv'
> Subject: RE: [FW1] SYN Flood Attack
>
>
>
> If you are running SYNDefender in Passive SYN Gateway one of the problems
> you might run into is that IIS can only handle 9 half-open
> connections. What
> happens is client sends a SYN request and so the server sends back a
> SYN-ACK. The server is waiting (for ever) for the client to ACK the
> connection and this is by definition a half-open connection. 9 of these
> causes IIS to sit and grant no further connections. (effectively DOS). To
> fix just change from Passive SYN Gateway to SYN Gateway.
>
>
> Michael Hernandez
> Technical Instructor
> [EMAIL PROTECTED]
> www.riscman.com
> (727) 530-0444 x 256
>
>
> ------------------------------------------------------------------
> ----------
> ----
> RE: [FW1] SYN Flood Attack
> Forum: Firewall-1 (Admin)
> Date: Jun 04, 02:43
> From: Dameon D. Welch-Abernathy <[EMAIL PROTECTED]>
>
> About all SYNDefender can do is mitigate a SYN flood. It can not stop one.
> It is highly recommended you also take appropriate steps to secure all
> externally accessable hosts against a SYN attack.
>
> -- PhoneBoy
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, May 25, 2000 2:29 AM
> > To: Fw-1-Mailinglist
> > Subject: [FW1] SYN Flood Attack
> >
> > Hi,
> >
> > Yesterday the servers in our lab, protected by a freshly squeezed
> FireWall-1 2000, got visited by an -invited- hacker. His job was to do his
> usual hacking stuff, the works, on our servers, to test our security
> enforcement. He did what I expected him to do. He started with
> portscanners,
> and soon he found our webserver. It's the only server we have which anyone
> on the net can access. He then started with SYN flood attacks. At
> first, the
> SYNDefender troubled his attempts, but eventually he brought the
> web server
> to its knees.
> >
> > Tighten the SYNDefender timeout, you say? Problem is: the setting was
> chosen based on tests, in which the SYNDefender at first dropped
> 50% of our
> own http network connections. We chose a setting with which
> 'only' 5% of our
> connections got dropped, but apparantly, SYN flood attacks are again made
> possible. To my estimate, approximately 20 to 25% of the thousands of
> http-connections in the attack got disconnected by the
> SYNDefender. The rest
> was enough to kill the IIS.
> >
> > Has anyone experience with this?
> > Kurt Haegeman - Network Security Engineer, CCSA
> > Dolmen Computer Applications
> > <http://www.dolmen.be>;
> > << File: Kurt Haegeman.vcf >>
>
>
>
> ==================================================================
> ==========
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==========
> ====
>
>
>
>
>
>
> ------------------------------------------------------------------
> ----------
> ----
>
>
>
>
>
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
