Penetration Testing mailing list archives
Re: DoS/DDoS Attack
From: "Kevin Willock (IGSN Security)" <kevin () igsn com>
Date: Fri, 14 Jan 2005 11:41:25 -0700
Wallisch, Philip wrote:
There are a lot of devices out there that can mitigate attack traffic. These devices work to varying degrees of effectiveness. The new trend is to inject data into a table, and get a baseline for what "normal" traffic is on your system. Then when abnormal traffic begins to appear these devices will compare against your regular traffic and the new flurry of packets that are coming in, and make intelligent decisions (based on commonalities that appear in traffic (IE: incrementing packet #'s, same TTL etc).I wouldn't say "no way of determining". Check out http://www.riverhead.com/ Through the use of baselines and complicated algorithms you can scrub at least some of that traffic. -----Original Message----- From: Faisal Khan [mailto:faisal () netxs com pk] Sent: Friday, January 14, 2005 1:06 AM To: pen-test () securityfocus com Subject: DoS/DDoS Attack Folks, Two quick questions.When IP (Source) addresses are spoofed, is there no way of determining (a) that the IP Source Addresses is spoofed and not the genuine one (b) to be able to determine the actual IP address that is sending DoS packets?Somehow I get the feeling I'm SOL when trying to find out the "genuine/actual" source IP address.If this is the case, then pretty much we all are helpless with DoS/DDoS attacks - considering one can write a script/program to keep incrementing or randomly assigning spoofed source addresses in the DoS packets being sent out.Faisal Faisal Khan, CEO Net Access Communication Systems (Private) Limited ________________________________ Network Security - Secure Web Hosting Managed Internet Services - Secure Email Dedicated Servers - Reseller Hosting Visit www.netxs.com.pk for more information.
These devices are costly, and are sometimes beyond the scope of some operators, but you can discuss with your ISP getting actively involved in implementing a device, and offering the service to a range of clients at a fee to cover the costs of purchasing and administrating these devices. There are also third party groups that offer packet scrubbing services, and employ multiple devices and offer a sort of proxy service. These groups are now offering SLA's and when gauged against the cost of outright buying one of these devices and training staff to administrate them, is often a more economically feasible solution to the problem.
Kevin Willock IGSN Security
Current thread:
- RE: DoS/DDoS Attack Wallisch, Philip (Jan 14)
- Re: DoS/DDoS Attack Kevin Willock (IGSN Security) (Jan 14)
- <Possible follow-ups>
- RE: DoS/DDoS Attack Josh Walkson (Jan 15)
- RE: DoS/DDoS Attack Gregory D. McPhee (Jan 15)
- RE: DoS/DDoS Attack rzaluski (Jan 17)
- RE: DoS/DDoS Attack FXCM - Brandon Palmer (Jan 17)