IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Denial of Service: Commercial Defense products

From: Roland Dobbins <rdobbins () cisco com>
Date: Fri, 25 Nov 2005 16:59:20 -0800
Actually, FinAckSyn; the Guard doesn't work that way. Traffic headed into zones under protection is routed into the Guard itself, and then various forms of antispoofing and anomaly-detection are performed to determine whether or not the traffic is valid. Invalid traffic is dropped by the Guard, while valid traffic is re-injected into the network in order to continue towards its destination.
The Guard is usually configured as an on-demand device; it's only 'inline' when needed, the rest of the time, traffic follows its normal course through the network. This type of operation ensures that the Guard is only examining traffic when such examination is required, and also doesn't require the network to be re-engineered in order to induce artificial symmetry.
In the case of your SP using the Guard to protect your gaming servers, it sounds to me as if some baselining is needed in order to fine-tune the Guard's profiles of what constitute normal and valid traffic to your gaming servers. 

For more information on the Guard, NetFlow, and Arbor, see this URL:

        http://www.cisco.com/go/cleanpipes


On Nov 24, 2005, at 10:58 AM, FinAckSyn wrote:


Hi Joel,

Cisco Guard doesn't actually 'stop' SYN packets - it
tells routers where the bad traffic is coming from,
and gets the routers to block by blackholing the
route.
So yes, may look great in a lab environment where your
Cisco 7200s are happily throwing SYN packets into
oblivion, but in the real world, both the SYN Cookie
mechanism and routing manipulations cause a lot of
problems with real world traffic.
This is where an inline device is so important -
something that can understand both ends of the
connection and work out whether it's valid or not
before throwing it away.
Our ISP uses Cisco Guard, but we tell them to turn it
off, unless absolutely necessary to protect their own
peering points, as if it's left on always, it throws
our customer's customers out of their online gaming
sessions (which is bad news for them and us!).

Regards,

Matt

--- Joel Friedman <jfriedman () datapipe com> wrote:


Riverhead (now Cisco Guard) is by far the best
choice.  We had a little in
house shoot-out where we attacked multiple vendors'
hardware and graphed
their results into the millions of packets per
second.  Due to NDA's we are
not allowed to disclose which vendors, nor their
results, but I can say that
Riverhead successfully defended against more than
twice the load of its
competitors...at the time it was able to stop
approximately 1.5 million SYN
packets per second while still allowing legitimate
traffic.

IMHO there is no other choice.

--Joel


-----Original Message-----
From: Kyle Quest
[mailto:Kyle.Quest () networkengines com]
Sent: Wednesday, November 23, 2005 2:42 PM
To: focus-ids () securityfocus com
Subject: RE: Denial of Service: Commercial Defense
products

You should really look at Top Layer if you are
serious
about defending against denial of service attacks.
Don't even waste your time on Mazu or McAfee.
Tipping Point is suppose to get better at it
as well (they were working on some news things
the last time I had a chance to talk to one
of their top guys), but I don't know if it's
already available.

I would recommend looking at the NSS reports
(http://www.nss.co.uk/download/download.htm).
Unfortunately, the online version of the report
that includes Top Layer review is no longer
available,
but you can still buy it for a couple of bucks.

Kyle

-----Original Message-----
From: Ogle [mailto:myinfosec () gmail com]
Sent: Tuesday, November 22, 2005 4:44 AM
To: focus-ids () securityfocus com
Subject: Denial of Service: Commercial Defense
products


Hi,
I have an ISP customer who want to protect their
network and their
subscriber's network.
In "Internet Denial of Service: Attack and Defense
Mecahnisms" book, I
noticed 7 commercial products.
1. Mazu Enforcer by Mazu Networks
2. Peakflow by Arbor Networks
3. WS Series Apliances by Webscreen Technologies
4. Captus IPS by Captus Networks
5. MANAnet Shield by CS3
6. Cisco Traffic Anomaly Detector XT and Cisco Guard
XT
7. StealthWatch by Lancope

Since I'm new with this type of products, is there
any reference out
there to help me choose the right solution to my
customer ?
Is there any problem if I use IPS (ie: TippingPoint,
McAfee) for this
solution ?

Thanks.





                
___________________________________________________________
WIN ONE OF THREE YAHOO! VESPAS - Enter now! - http:// uk.cars.yahoo.com/features/competitions/vespa.html
---------------------------------------------------------------------- -- 
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708 
to learn more.
---------------------------------------------------------------------- -- 

--------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

 Algorithm agility is an essential feature in any Internet protocol.

                     -- Bruce Schneier




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: