[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: SQL effect on stateful IDS and firewalls
From:       Gianni Tedesco <gianni () ecsc ! co ! uk>
Date:       2003-01-29 17:33:03
[Download RAW message or body]


On Tue, 2003-01-28 at 23:31, Todd Heberlein wrote:
> I have seen one report (by Tom Kyle on BugTraq) about the SQL worm 
> swamping the memory a stateful firewall or IDS system.
> 
> Does anyone have pointers on reports as to how well the different 
> stateful systems did under the attack?

AFAIK most IDSs don't do state tracking for UDP. Firewalls tend to
implement UDP stateful hacks just to make DNS work ie: if a UDP packet
is allowed, allow reply UDP traffic for 30 seconds afterwards. This
model works for most but not all UDP applications.

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]