RE: RE: Attack profiling tool?

["Gareth Blades" <list.fulldisclosure () webscreen-technology com>]

Sorry but I disagree. Firewalls don't defent against connection floods
(naptha type attacks) very well at all.
Take Cisco PIX as an example which has a setting where you can limit the
maximum connection rate and the number of connections. The connection rate
for the attack is quite low so this won't help and although the firewall
will stop too many connections from being established to the web server this
is done as a general hard limit. Once the limit is reached then no other
connections are permitted though. This may stop a webserver from crashing
but it still leaves the website unavailable.
Firewall-1 is no better.

Statefull packet inspection won't help at all as the packets being sent are
100% valid.

Besides as I said originally our own defense product is sitting infront and
this does block this type of attack. The URL I pointed to with the packet
capture was produced by our product. I was wondering what tool it could be
doing this probing as I have seen the exact same profile of probing from at
least 4 different IP addresses.

> -----Original Message-----
> From: Abraham Lincoln [mailto:sunninja () scientist com]
> Sent: Friday, July 11, 2003 12:44
> To: Gareth Blades
> Subject: Re: [Full-disclosure] RE: Attack profiling tool?
>
>
>    Lotsa available solution for that. IP Stack tunning and web
> server such apache as u said... their are ways to set the rate
> limit properly... and beside if ur web server behind a stateful
> packet inspection fw it would prevent the attack the method of
> the attacker is quite old.
>
>
> ----- Original Message -----
> From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
> Date: Fri, 11 Jul 2003 09:47:37 +0100
> To: "Fulldisclosure" <full-disclosure () lists netsys com>
> Subject: [Full-disclosure] RE: Attack profiling tool?
>
> > > From: Abraham Lincoln [mailto:sunninja () scientist com]
> > > Sent: Friday, July 11, 2003 03:19
> > > To: Gareth Blades
> > > Subject: Re: Attack profiling tool?
> > >    no need for a expensive technology. block port 443 or if not
> > > possible use a proactive security module that would circumvent
> > > such attacks eg: linux security module that would intercept all
> > > calls if abnormal just kill it :) Not using expensive and
> > > signature/rule based technology. Like Anti-Virus its a protection
> > > against yesterday's threat as morning_wood say heh
> >
> > That will not work very effectivly against this type of attack.
> There are
> > tools you can use (and quite a good module for apache) which
> can be used to
> > limit the number of connections from particular clients.
> However if you set
> > the limit too low you block people coming in via the big proxy
> servers. If
> > you set the limit too high then the maximum number of connections can be
> > reached with a relativly small number of machines.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
> http://corp.mail.com/careers


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html