Snort mailing list archives
Re: Network & Systems Cloaking Tool
From: Tommy <tommy () secure sh>
Date: Fri, 08 Nov 2002 16:13:00 -0600
Hello, At 12:45 PM 11/8/2002, Kirill Alder-Ponazdyr wrote:
So you want to tell us all, that you have developed the system, which for example would differentiate between a person infront of Computer calling up a web site, and a robot (Thousands of robots to be exact), which randomly, but logically follows a carefuly crafter map of your site, and bashes your Scripts. And this without any configuration ? Transaprent and Plug and Play ???
Yes. That is exactly what I am saying this system does. It is break-through technology ;-) http://www.dos-protection.com/html/dos___ddos.html And it also cloaks the network infrastructure behind it, which is equally unique. ;-) http://www.dos-protection.com/html/cloaking.html
I am not a pessimist, but somehow I have a hard time believing in this.
LOL, well so far $115m have been invested in other companies to accomplish this, and as of today or so another $28m - and I think it is fair to say that none of the other solutions come even close. You prob read the reviews from DDoS World and NW Fusion (links on the site).
As of solving the Flood DoS by protecting the upstream: What use is that to you if I flood your downstream pipe so badly, that almost no traffic passes trough ? Sure it is harder to do, and downstream traffic at most serving sites is way way lower than upstream, but still, I might not shut your site down, but I can make your availability, mail traffic and so on suffer quite well.
Well, there are two different kinds of DDoS attacks: - bandwidth/pipe flooding - application-level attack The bandwidth flooding you mention is indeed best stopped at the carrier level, and can be done with iSecure, and basic QoS settings (see DDoS measures on the Cisco website). The application level attack is much harder to defend against, since one needs to determine which of the traffic is "good" and whichis "bad" (i.e. DDoS). That is the most critical area, and applies to all levels of the bandwidth hierarchy, and both for public/internet connections, as well as internal (usually large corporate) networks. This is the kind of attack iSecure is geared against.
It was this way and it will stay this way: The only effective way to block pipe floods is on your Carrier side.
Agreed, bandwidth flooding is best stopped upstream - but you still ave to deal with the more difficult application-level attacks. Thanks for your response! Thomas
----------------- Kirill Alder-Ponazdyr SGI / SUN UNIX Consultant Codeangels Solutions Phone : +41 43 844 90 10 Fax : +41 43 844 90 12 Mobile: +41 79 370 89 30 On Fri, 08 Nov 2002 12:08:50 -0600 Tommy <tommy () secure sh> wrote:Hey, LOL, yes, the site is currently geared towards the following communities: - endorsers (such as FBI, CIA, NSA, ICANN, etc) - buyers (collect orders for factoring credit) - investors (VC money to start production) The techie in me is dying to share the technology, how it works, but the business person in me also wants to build a business, and that's what we filed patents for to protect the technology (it is proprietary), so unfortunately I cannot disclose the "juicy" stuff y'all are looking for. I believe in the Open Source model, but open source was not used to develop this system. It's break-through cloaking technique however works very well with IDS systems, and Snort is surely one of the best (we are using & implementing it), and that's why I ran it through the list. Feedback on the functionality is, however, most welcome! The box has been tested and it works, actually extremely well, without any configuration, and as you can see, you will all soon have a chance to test it 'live' over the internet, or see it in person and perform cloaking/scanning and/or DDoS attacks on site. On a side note: so far I have gone through a lot of pain to bring the product thus far, and it makes me feel good that it sparks curiosity in the tech community. It is always fun to see people (who understand the challenges and the imbedded technology) test it and say "WOW!!" ;-) Thanks for your time, Thomas At 11:53 AM 11/8/2002, twig les wrote:Now I'm curious. I looked at the site, but it seems a bit geared toward management. Exactly how does this box decide what traffic is legit and what isn't? This has been the crux of the computer security world's problem since the get-go. I understand the whole do-it-in-asic part for wire speed, but the black box thing is a tough for me to trust. Is there a more detailed doc about this? Sorry to hammer you, but this is an open-source list you're posting to. --- Tommy <tommy () secure sh> wrote:At 06:51 PM 11/6/2002, <hackerwacker () cybermesa com> wrote:No box can protect against a DoS, if it sits at thecustomer end of a pipe, and the DoS is filling the pipe. Hello hackerwacker, as you know, there are two different types of DDoS attacks: 1) flood the pipe 2) attack on application level The bandwidth flooding DDoS attacks are fairly easy to catch with QoS stuff (or iSecure), and should be caught upstream if targeted against a small-bandwidth connection. Even though iSecure also defends against this type of attack, the key feature is defense against application-level DDoS attacks, and not shutting the pipe down (same effect as DDoS), but determination which is "good" traffic (passes), and which is "DDoS" traffic (stopped). This application-level attack is the more devastating, and the most difficult to combat - and this is what iSecure does: http://www.dos-protection.com/html/dos___ddos.html There is a lot of money being spent on the development of other DDoS Defense systems (~$300m so far), and there are some in the market, all of which according to a review by DDoS World in NW Fusion have significant drawbacks, are hard to configure, and/or simply do not work (such as: Sync4 crashes the DDoS Defense system). iSecure does not require any configuration (black box concept) and works against all flooding and application-type DDoS attacks as an inline scanner, successfully eliminating DDoS attacks in real-time, while letting "good" (desireable) traffic pass - and without bandwidth reduction. Its other feature is the network & systems cloaking, which is truly unique (I know of no other system which does that), and which in conjunction with an IDS system can allow for more effective detection & traces, as it forces the attacker to log all ports in the scan range (or all 65,535) twice - while logging all as being 'open' and then to generate the list of "interesting ports" - i.e. the same, slowing down the probe dramatically. This is why I wanted to run it by the Snort community. Even NMAP can't figure out whats behind the system. More at: http://www.dos-protection.com/html/cloaking.html Thanks for your time, Thomas Thomas J. Ackermann Mobile: 214-403-5368 Melior, Inc. --- Perfectionists At Work. (TM) Internet Infrastructure & Security Architects in Dallas,Silicon Valley, Los Angeles, Houston, New York, India www.meliorinc.com Tel: (888) 4 MELIOR Fax: (888) TO FAX US This email is intended for the addressee only. The material may be privileged and may contain confidential information. If you have received this email in error, please notify Melior, Inc. immediately by email and delete the original. Thank you!===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thomas J. Ackermann Mobile: 214-403-5368 Melior, Inc. --- Perfectionists At Work. (TM) Internet Infrastructure & Security Architects in Dallas,Silicon Valley, Los Angeles, Houston, New York, India www.meliorinc.com Tel: (888) 4 MELIOR Fax: (888) TO FAX US This email is intended for the addressee only. The material may be privileged and may contain confidential information. If you have received this email in error, please notify Melior, Inc. immediately by email and delete the original. Thank you!
Current thread:
- Network & Systems Cloaking Tool Tommy (Nov 06)
- Message not available
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Re: Network & Systems Cloaking Tool twig les (Nov 08)
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Re: Network & Systems Cloaking Tool Frank Knobbe (Nov 08)
- Re: Network & Systems Cloaking Tool Frank Knobbe (Nov 08)
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Message not available
- Re: Network & Systems Cloaking Tool Tommy (Nov 08)
- Message not available