RE: mcafee DDOS solution

["Yannick Chanoine" <ychanoine () interdata fr>]

These tools are proposed to companies in order to give information on botnet
propagation, outgoing spam or, as you say, outgoing DDoS
Regarding DDos the only approach (IMHO) is to filter or shape on the ISP's
backbones or peering points, where bandwidth is not a matter.
If you filter suspicious traffic in places where bandwidth is not a problem,
then you "solve" the problem.

Back to your example, you can avoid the traffic jam by : 
- filtering the hooligans right out the stadium (outgoing DDoS filtered at
the company or individual access point); --> financial and technical
problems will seriously limit this option
- filtering and shaping traffic on the highway (left lane for actual
customers, middle lane for neighborhood, right lane for tourists, toll for
hooligans...).

Regards,

Yannick 


-----Message d'origine-----
De : pentester [mailto:pentester () surfhier nl] 
Envoyé : mercredi 4 juillet 2012 12:18
À : Yannick Chanoine
Cc : security-basics () securityfocus com
Objet : Re: mcafee DDOS solution

I'm sorry to say, but a company or individual can not protect against DDos
on layer 4. Not even with an Allot ServiceProtector. I'm sure the Allot
ServiceProtector can detect a DDoS and drop packets after it is determined
they are malicious, but it can't prevent the packets are delivered to the
Allot ServiceProtector itself. And DoSsing the Allot ServiceProtector also
means that all services protected by it are DoSsed as well. 

Imagine this: a security guard is protecting the entrance of a supermarket
and only allow entrance to real customers (let's assume the guard can tell
the difference between bad and good customers). Now a
football/soccer/baseball stadium full of people approach the supermarket.
The entrance is blocked, because the street can't handle that amount of
simultaneous pedestrians. The security guard makes sure the bad traffic is
dropped (exits through a facility that can handle this enormous load. Now
the good traffic, all three of them, can't reach the entrance because 50.000
pieces of bad traffic is blocking it. The supermarket is DoSsed, no matter
how good the security guard does it's job.

The comparison is not completely valid. In real, a DoS in the internet world
is even worse. Even if there is some magic that reduces the effect of the
DDoS, the attacker can always decide to saturate the victim's access router,
making even the Allot ServiceProtector inaccessible.

The Allot ServiceProtector would probably help to prevent that you DoS
something :-)

Cor

On Jul 4, 2012, at 11:30 AM, Yannick Chanoine wrote:

> Hi,
>
> You can act on DDoS on Layer 4 and apply policies to shape traffic : 
>
> http://www.allot.com/Service_Protector.html (previously Esphion)
>
> http://www.arbornetworks.com/arbor-pravail-availability-protection-sys
> tem.ht
> ml
>
> Regards,
>
>
> Yannick
>
> -----Message d'origine-----
> De : listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] De la part de 
> alain.karioty () corero com Envoyé : mercredi 4 juillet 2012 10:52 À : 
> security-basics () securityfocus com Objet : Re: Re: mcafee DDOS solution
>
> ISP can block volumetric DDoS attacks (layer 2/3).
>
> When the attack is build with tools like LOIC, SLOW LORIS, HULK, Hping,...
> the ISP cannot do anything.
>
> The ISP only count packets and look on traffic anomaly. All the tools 
> used today for DDoS are working on layer 7 and have similar behaviour 
> as a legitimate connection.
>
> The right strategy is ISP service for volumetric attacks and on 
> premise DDoS Defense solution for Layer 7 attacks, reflective attacks 
> (spoofing), specially crafted packets attacks and other kind of 
> attacks which may be generated by internal hosts compromised.
>
> Regards,
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company 
> and how your customers can tell if a site is secure. You will find out 
> how to test, purchase, install and use a thawte Digital Certificate on 
> your Apache web server.
> Throughout, best practices for set-up are highlighted to help you 
> ensure efficient ongoing management of your encryption keys and 
> digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727
> d1
> ----------------------------------------------------------------------
> --
>
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------