IDS mailing list archives
Re: Denial of Service: Commercial Defense products
From: "avi chesla" <chess4_4 () hotmail com>
Date: Tue, 20 Dec 2005 19:28:43 +0200
Hi Matt,It should be noted that I am an employee of Radware. The following answer is informative only.
The problem you have encountered has been handled in the latest versions of the DefensePro. A new mechanism (adaptive behavioral DoS protection) which aims to handle all types of floods has been implemented. This new mechanism uses a mature technology that was taken from V-Secure Technologies (this is involved with the acquisition that Radware made). The new mechanism mitigates TCP (Syn and also other TCP floods), UDP, ICMP and IGMP floods by using a statistical adaptive approach (i.e., no thresholds need to be set). The mitigation methods that this mechanism allows are highly granular which means that the detected attack is blocked according to multiple characteristic parameters taken from the packet headers and payload. These parameters (e.g., checksums, packet sizes, TTL, ports, DNS queries etc) are detected on the fly and are automatically tailored through an AND and OR logical relationships in order to generate the most narrow prevention measure against the detected attack (all in order to minimize the blocking of legitimate users). The integrated technology allows this whole process (detection and prevention) to take place without user intervention. If you test mitigation tools, you should especially focus on the granularity and accuracy of the prevention rules that these tools provide. Regarding Toplayer and Riverhead, the aforementioned new protection is actually a breakthrough for Radware mitigation capabilities. I advise you to test Radware's new DoS and DDoS solution compared to the other vendors I think that the differences can be easily exposed.
Let me know if need any more assistance. Avi
From: FinAckSyn <finacksyn () yahoo co uk>To: avi chesla <chess4_4 () hotmail com>, devdas () dvb homelinux org, focus-ids () securityfocus comSubject: Re: Denial of Service: Commercial Defense products Date: Fri, 16 Dec 2005 11:46:52 +0000 (GMT) Hi Avi, The big problem I had with RadWare DefensePro (this was about a year ago), was that I couldn't set the SYN cache timeout to anything less than 3 seconds. As the cache could only hold 64,000 SYNs, any SYN Flood larger than 64,000/3 = 21,333 SYN/s would completely fill the cache. This spelt disaster every time a SYN flood hit the network, as invalid SYNs filled up the cache, leaving no space for new, legitimate connections to be setup. True, the SYN Flood was mitigated, but at the expense of any new connections (existing ones were preserved), which is generally bad if you're dealing with critical applications and web presences. I would love to hear from RadWare as to whether or not this limitation has actually being fixed, and if it has, how their new technology now fares against the more mature mitigation products such as TopLayer and Riverhead. Rgds, Matt --- avi chesla <chess4_4 () hotmail com> wrote: > Hi, You shoould also consider Rdaware's DefensePro > with their new behavioral > based DDoS protection. > > Avi > > > >From: Devdas Bhagat <devdas () dvb homelinux org> > >Reply-To: Devdas Bhagat <devdas () dvb homelinux org> > >To: focus-ids () securityfocus com > >Subject: Re: Denial of Service: Commercial Defense > products > >Date: Thu, 24 Nov 2005 21:59:41 +0530 > > > >On 22/11/05 16:43 +0700, Ogle wrote: > > > Hi, > > > I have an ISP customer who want to protect their > network and their > > > subscriber's network. > > > In "Internet Denial of Service: Attack and > Defense Mecahnisms" book, I > > > noticed 7 commercial products. > > > 1. Mazu Enforcer by Mazu Networks > > > 2. Peakflow by Arbor Networks > > > 3. WS Series Apliances by Webscreen Technologies > > > 4. Captus IPS by Captus Networks > > > 5. MANAnet Shield by CS3 > > > 6. Cisco Traffic Anomaly Detector XT and Cisco > Guard XT > > > 7. StealthWatch by Lancope > > > > > > Since I'm new with this type of products, is > there any reference out > > > there to help me choose the right solution to my > customer ? > > > Is there any problem if I use IPS (ie: > TippingPoint, McAfee) for this > >solution ? > > > >What kind of DoS? Is this a simple packet flooding > choking the pipe? Is > >this an application layer attack? Syn floods? > Physical damage to links? > > > >Devdas Bhagat > > > >------------------------------------------------------------------------ > >Test Your IDS > > > >Is your IDS deployed correctly? > >Find out quickly and easily by testing it > >with real-world attacks from CORE IMPACT. > >Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > >to learn more. > >------------------------------------------------------------------------ > > > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! > Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > ------------------------------------------------------------------------ > > ___________________________________________________________To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
_________________________________________________________________Don't just search. Find. Check out the new MSN Search! http://search.msn.com/
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Denial of Service: Commercial Defense products avi chesla (Dec 12)
- Re: Denial of Service: Commercial Defense products FinAckSyn (Dec 16)
- Re: Denial of Service: Commercial Defense products avi chesla (Dec 21)
- Re: Denial of Service: Commercial Defense products snort user (Dec 21)
- <Possible follow-ups>
- RE: Denial of Service: Commercial Defense products Kyle Quest (Dec 27)
- RE: Denial of Service: Commercial Defense products Barrett G. Lyon (Dec 28)
- Re: Denial of Service: Commercial Defense products FinAckSyn (Dec 16)