Full Disclosure mailing list archives
RE: RE: Attack profiling tool?
From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
Date: Fri, 11 Jul 2003 13:38:17 +0100
Sorry but I disagree. Firewalls don't defent against connection floods (naptha type attacks) very well at all. Take Cisco PIX as an example which has a setting where you can limit the maximum connection rate and the number of connections. The connection rate for the attack is quite low so this won't help and although the firewall will stop too many connections from being established to the web server this is done as a general hard limit. Once the limit is reached then no other connections are permitted though. This may stop a webserver from crashing but it still leaves the website unavailable. Firewall-1 is no better. Statefull packet inspection won't help at all as the packets being sent are 100% valid. Besides as I said originally our own defense product is sitting infront and this does block this type of attack. The URL I pointed to with the packet capture was produced by our product. I was wondering what tool it could be doing this probing as I have seen the exact same profile of probing from at least 4 different IP addresses.
-----Original Message----- From: Abraham Lincoln [mailto:sunninja () scientist com] Sent: Friday, July 11, 2003 12:44 To: Gareth Blades Subject: Re: [Full-disclosure] RE: Attack profiling tool? Lotsa available solution for that. IP Stack tunning and web server such apache as u said... their are ways to set the rate limit properly... and beside if ur web server behind a stateful packet inspection fw it would prevent the attack the method of the attacker is quite old. ----- Original Message ----- From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com> Date: Fri, 11 Jul 2003 09:47:37 +0100 To: "Fulldisclosure" <full-disclosure () lists netsys com> Subject: [Full-disclosure] RE: Attack profiling tool?From: Abraham Lincoln [mailto:sunninja () scientist com] Sent: Friday, July 11, 2003 03:19 To: Gareth Blades Subject: Re: Attack profiling tool? no need for a expensive technology. block port 443 or if not possible use a proactive security module that would circumvent such attacks eg: linux security module that would intercept all calls if abnormal just kill it :) Not using expensive and signature/rule based technology. Like Anti-Virus its a protection against yesterday's threat as morning_wood say hehThat will not work very effectivly against this type of attack.There aretools you can use (and quite a good module for apache) whichcan be used tolimit the number of connections from particular clients.However if you setthe limit too low you block people coming in via the big proxyservers. Ifyou set the limit too high then the maximum number of connections can be reached with a relativly small number of machines. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html-- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Attack profiling tool? Gareth Blades (Jul 10)
- Re: Attack profiling tool? morning_wood (Jul 10)
- Re: Attack profiling tool? daniel uriah clemens (Jul 10)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- <Possible follow-ups>
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)