'Re: Simple DOS attack on FW-1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Simple DOS attack on FW-1
From:       "Jason R. Rhoads" <jason.rhoads () SABERNET ! NET>
Date:       1999-07-31 1:48:00
[Download RAW message or body]

I have written a small perl script, fwconwatch.pl to monitor the status
of the FW-1 connection table.  When the table reaches a predefined
limit, the script sends an alert and emails a listing of the top
connection source addresses.  The script also monitors CPU utilization
as I have found this to be another good indicator of abnormal activity.

Once the script has been configured and tested, it can be added to the
/etc/init.d/firewall1 script:

  #!/bin/sh
  # FW-1 Start
  if [ -f /etc/fw/bin/fwstart ]; then
    FWDIR=/etc/fw
    export FWDIR
    /etc/fw/bin/fwstart
    /etc/fw/bin/fwconwatch.pl&
  fi
  # FW-1 END


fwconwatch can be found here: http://www.sabernet.net/software/

Lance Spitzner's fwtable.pl script is used to list the top connection
sources which can be found here:
http://www.enteract.com/~lspitz/fwtable.html

Regards,
Jason

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic