ISG 2000 High CPU Caused By Src Based Session Limiting

  • Hi,

    I’ve got a few questions regarding how the ISG 2000 platform handles the screening options.

    Today our firewall sustained a 100% CPU load when a compromised server in one of our DMZ’s was starting/joining a (D)DoS to another server(s) on the internet. The compromised server was trying to create an abnormally high amout of sessions outbound (together with 80 Mb/s of traffic) which were being blocked by the “source based session limit” screening option on the DMZ security zone in question. Alas, because of this, we also experienced a lot of connectivity loss between our other security zones. However, after some time we were able to remotely connect to our SSLVPN through which we were then able to identify the compromised server after which we promptly shut down it’s port on the switch and notified the owner of the server. Immediately after this everything went back to normal and all management options (HTTPS, SSH, NSM) on the ISG 2000 were back available.
    Also we’re running ScreenOS v6.2.0r11 should it matter.

    Now for my questions:

    • Is this expected behaviour? I always thought the screening options (like “source based session limiting”) were mostly implemented in hardware (ASIC) because, the way it was performing today, the firewall was basically DoS’ing itself by trying to limit the amout of sessions from one host. Surely an ISG should be able to handle this more gracefully as this would also mean that a session based attack from the internet could also drive the CPU load up to the point that traffic between internal security zones would be affected?

    • In searching on the internet for people who experienced similar things I’ve seen the terms “Flow” and “Task” being mentioned when talking about the CPU load. What exactly is the difference between the two? Flow is in regard to actual traffic and Task is in regard to ALG’s, screening, session setup, …?

    Can anyone shed some light on this because I’m really stumped?