OpenBSD Information for VU#539363

State-based firewalls fail to effectively manage session table resource exhaustion

Status

Not Affected

Vendor Statement

The stateful packet filter (pf) that ships with OpenBSD 3.0 and later offers several configuration options to deal with this kind of attack.

State table entries are allocated from a dedicated kernel memory pool. A hard limit for maximum number of state entries can be configured. When this limit is reached, further packets that require state entry creation are dropped, until existing state entries time out. Other memory pools are not affected.

Each filter rule that creates state entries for matching packets can specify an individual maximum number of states created by it. When one rule has reached its own maximum, other rules can still create new state entries, up to their own maxima (or the global hard limit).

The state timeout values (period of time of inactivity after which a state entry is removed) for each phase of a connection can be can be configured globally, per protocol and in each rule that creates state entries. Low timeouts can be used to purge individual connections early. Aggressive timeouts for TCP connections that are not fully established force an attacker to complete the TCP handshake to create long-lived state entries, addressing spoofed SYN floods.

With a balanced choice of maxima and timeouts, and depending on the available amount of memory and the highest possible packet rate, the state table does not reach its size limits.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.