Check Point Advisories

Security Best Practice: Aggressive Aging

Check Point Reference: SBP-2010-08
Date Published: 20 Jan 2010
Severity: Medium
Last Updated: Friday 01 January, 2010
Source: IPS Research Center
Protection Provided by:
Who is Vulnerable? N/A
Vulnerability Description Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability.
Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. A denial of service attack (DoS) is an attempt to make a computer resource unavailable to its intended users.
Vulnerability DetailsAggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the Eligible for Deletion list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no Eligible for Deletion connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK