| Vulnerability Details | Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.
If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the Eligible for Deletion list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no Eligible for Deletion connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.
Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic. |
Feedback