TCP has a 16-bit port address, which allows for 65535 ports for source and destination ports. That fact appears to be lost on the vendor of my cable modem as they seem to think that 40960 is all that anyone would EVER need, however that fact is not lost on me. I have discovered this limitation "the hard way." I've crashed my cable modem three times this week while trying to conduct a pen-test for a client.
In all fairness, it seems like assuming a home user would not exceed 40960 simultaneous or embryotic connection is reasonable. That said, it still seems assinine not to support either the full-capabilities of the protocol's specifications OR that if it isn't going to handle all 65,535 ports that it at least not just die violently.
Ironically, this is not the first device I have discovered this limitation (which is why I know what is wrong here.) I've discovered this limitation in a variety of firewalls: Novell BorderManager, SonicWall, and various Linksys devices. This is, however, the first layer 2-3 device I've discovered the problem on.
1 comment:
...I was able to tweak my PIX firewall so that my modem doesn't crash and burn so bloody often. On the PIX the command is 'timeout'.
timeout conn 0:30:00 half-closed 0:05:00 udp 0:02:00 rpc 0:10:00
On an ASA you would use the Modular Policy Framework (MPF) to create a class-map and apply it with a policy-map adjusting the timeouts, etc.
Post a Comment