Not to mention the fact that each additional firewall rule is a performance
decrease - a few hundred extra rules could in theory significantly affect
your network throughput.
At 08:40 AM 1/21/98 -0500, Matt Davis wrote:
>I am not sure if anyone esle has noticed this, but its probably worth
>repeating. In checking out some of the features of the WatchGuard Firebox
>firewall, I noticed that they have a neat add-on feature that allows the
>firewall to automatically add a "block all" rule to a host that either
>scans the ports of an IP on your network to see whats open or if someone
>scans all the IPs on your network to see which are alive.
>While this feature at first seemed rather useful, it didn't take long to
>realize that this feature could be a potential DoS attack. Just grab your
>favorite scanning tool and set the source IP to be a popular website. I
>have yet to test to see what happens if you set it to be a source IP of
>the box itself our a host on the network.
>Again, this feature is not on by default. And it can be adjusted as to
>how long the block is put in place. My assumption is it would be
>generally OK to put in place, but may have to be turned off if its
>repeatedly used in a DoS situation.
>Can anyone play around with the scanning tools and check this out? I am
>not really an expert when it comes to those sort of things.
>Matthew T. Davis NOC Coordinator Internet Access Group
>mdavis@@iagnet.net support@@iagnet.net http://www.iagnet.net
>DID: (216) 902-5469 Tech: (216) 902-5460 Main: 1-800-637-4IAG
Gregory Perry phone: 703.318.7134
Trusted Computer Solutions, Inc. fax: 703.318.5041
13873 Park Center Road Suite 225 email: gperry @
Herndon, VA 20171 http://www.tcs-sec.com