Security Best Practice: Preventing Non-TCP Flooding
| Check Point Reference: | SBP-2006-14 | |
| Date Published: | ||
| Severity: | ||
| Source: | SmartDefense Research Center | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Security Devices | ||
| Vulnerability Description Hackers directly target security devices such as firewalls. In advanced firewalls, state information about connections is maintained in a State table. The State table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic in an effort to fill up a firewall State table. This results in a Denial of Service by preventing the firewall from accepting new connections. Unlike TCP, non-TCP traffic does not provide mechanisms to reset or clear a connection. Non-TCP protocols are connectionless, therefore the SYN Defender mechanism will not provide protection from the potential flooding non-TCP protocols. |
||
|
Vulnerability Details Denial of Service (DoS) attacks are aimed at disrupting normal operations of a service. They are an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. |
Protection Overview
Enable this protection to restrict non-TCP traffic from occupying more than a given percentage of an enforcement point State table.
To configure the defense, select your product from the list below and follow the related protection steps.