Re: Intrusion Detection Evaluation Datasets

[Damiano Bolzoni <damiano.bolzoni () utwente nl>]

On 18/03/2009 22.39, Stefano Zanero wrote:

> Can you think of an instance of attack where detecting this is important ?

If I were a bank, I would be pretty much unhappy to have 10 bogus 
requests per second that consume the bandwidth, CPU cycles, and system 
memory, because the web server is allocating space to store the POST 
body, by slowly sending up to 248Kb (sometimes it took 1 minute). They 
do care about availability, and this is clearly a DoS.
Besides, it's true that a rate of 10 requests per second it's 
nothing...but since the requests were coming from more than 50 different 
countries, I don't expect to be that difficult to increase the rate by 
infecting new hosts.
Then you can argue that the attacker can use something like 
ABCDEFGHILMN... instead of AAAAAAAAAAAAA..., and things would get tough 
again. But I guess you know what would be my answer, given that this 
attack has been detected with an anomaly-based NIDS ;)

--
Damiano Bolzoni

damiano.bolzoni () utwente nl
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: damiano.bolzoni () utwente nl

Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4892477
Mobile +31 629 008724
ZILVERLING building, room 3013