Re: Denial of Service: Commercial Defense products

[Stefano Zanero <zanero () elet polimi it>]

Kyle Quest wrote:
> This is just some background info on this new (D)DoS technology
> Radware has, so people have a better idea of what Avi is talking
> about...

Let's see...

> These parameters are:
> 1.    Source IP.
[...]
> 17.   DNS query ID.

Basically, any numeric parameter which can be extracted from a TCP flow
then...

> They create dynamic filters and see what kind of effect they have
> and how the blocked traffic source behaves. Based on those results
> they adjust those filters. 

OK, this is what any anomaly detection system would do. It would be nice
if vendors sometimes added something like "how are we using the data" :)

> The way things work it's not unusual for them to block legitimate
> traffic for a very small period of time while they are trying to
> figure out if traffic they are processing is bad or good. 

Yes, this is pretty much the idea of everyone in the field :-D

Stefano
-- 
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-4010/3660
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    www.elet.polimi.it/upload/zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------