Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Aggressive Aging

Subscribe

Check Point Reference: SBP-2010-08
Date Published:
Severity:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R70
Who is Vulnerable?
N/A
Vulnerability Description
Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability.
Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. A denial of service attack (DoS) is an attempt to make a computer resource unavailable to its intended users.
Vulnerability Details
Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the Eligible for Deletion list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no Eligible for Deletion connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

Protection Overview
The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Network Security > Denial of Service.
2. In the right pane, double-click the Aggressive Aging protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Aggressive Aging
Attack Information: Connections table's denial of service prevention mechanism