RE: Firewall Load Testing

From: Brass, Phil (ISS Atlanta) <PBrass(at)iss.net>
Date: Tue Dec 10 2002 - 13:42:10 EST

One of the problems I have found in this arena is that many hosts (windows particularly) cannot hold open more than about 5000 simultaneous TCP connections. I know some unices have similar problems, though my understanding is that it is possible to frob the BSD kernel at least to get at least 40,000 simultaneous connections. That is all very well and good, but unless there are enough target machines behind the firewall to handle that many connections, or you get to run your own listener on another frobbed box on the inside, you aren't going to be able to hold open that many connections.

One possibility in terms of solution is to take something like Dan Kaminsky's excellent Paketto Keiretsu toolkit (http://www.doxpara.com/), in particular the scanrand stateless SYN scanner, add a SYN+ACK and have it connect to the same port instead of scanning... Anyhow, the point of using scanrand stuff is that it's basically stateless. The reason many kernels won't handle more than a few thousand sockets (as I understand it) is that typically kernels allocate some non-paged pool for each connection, and non-paged pool is a limited resource. At least I think that's how it works on MS.

Phil

> -----Original Message-----
> From: Jason Dixon [mailto:jasondixon@myrealbox.com]
> Sent: Saturday, December 07, 2002 8:34 PM
> To: pen-test@securityfocus.com
> Subject: Firewall Load Testing
>
>
> My apologies if this isn't the right forum for this question;
https://alerts.securityfocus.com/

---

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Tue Dec 10 16:30:48 2002