On Mon, 29 Jan 2001, Olof Olsson wrote:
[problems with high-volume DNS traffic through FW-1]
> 1) With a 50K connection table size, one can only handle less than 400
> DNS queries/s
> 2) With a 100K connection table size, one can handle around 1000 DNS
> queries/s
> 3) It could be very "bad" to have the UDP timeout set to a "high value".
>
> and most importantly:
>
> 4) It would seem that FW-1 could have serious problems handling
> high-volume DNS/UDP sites.
> 5) It would also seem that an "easy" denial of service attack against
> FW-1 would be to spray it with largish number of DNS queries. (Or any
> other UDP traffic that is allowed by the ruleset.) However, I have not
> tried this.
I think so too.
> The only workarounds that I can see, are:
>
> 1) Avoid using FW-1 in high-volume UDP applications. For example, put
> hardened router ACL protected DNS boxes outside of the firewalls.
ACK
> 2) Increase the connection table size to something large, say 100K -
> 300K. (Assuming FW-1 can handle these connection table sizes. 100K seems
> OK, haven't tested anything larger.)
>
> 3) Decrease the UDP timeout. However, I believe that 40s is the minimum.
> Also, due to the exponential backoff used by DNS, it is probably a very
> bad idea to use anything smaller anyway.
> 4) Drop Checkpoint and use another firewall that can support very large
> connection table sizes.
What can you recommend?
> I would be _extremely_ interested in hearing about other peoples'
> experiences in relation to FW-1 UDP performance in general and DNS
> performance in particular.
I know the problem with UDP and FW-1. I prefer your workaround 1.
Regards,
Micha Borrmann
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
