Firewall Wizards mailing list archives
***SPAM*** Re: Firewalls that generate new packets..
From: Dave Piscitello <dave () corecom com>
Date: Fri, 30 Nov 2007 16:45:37 -0500
If I understand your email, you are saying firewalls are good at (2). I doubt if anyone disagrees with you but that's not a huge accomplishment for a firewall in 2007.
(1) is the huge problem area. BCP38 does encourage behavior that would mitigate some but not all DDOS attacks of this kind. Think Estonia.
(3) is also a more important problem today than (2).So I'm not certain that you've done much to debunk the "firewalls can't prevent DDOS attacks" assertion.
Darden, Patrick S. wrote:
I believe you are missing the point. Three types of DOS1. bandwidth flood--several dos and most ddos, smurf, stacheldraht, only way to protect against them is to prevent them, only way to prevent them is if all networks protect others from themselves.2. purposely (mal)shaped packets--teardrop, ping of death, etc.; any good firewall prevents known examples.3. application shaped--e.g. sending a continuous stream ofconnection packets to an apache web server, letting them time out at 15 minutes, thus keeping others from connecting; etc.Most security features provide *very limited* relief from this, limiting the # of connections from the same sip, decreasing tcp timeout from 15 mins to 30 seconds, etc. Helpful? --Patrick Darden -----Original Message-----.... http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796eI see nothing in that article that explains how a firewall can be used to defend against a DOS (or DDOS) attack. All I see is how to avoid yourself from being used as the source of one - where source IP addresses are forged. When I've got an army of 100,000 pc's scattered around the globe ready to try and connect() to your web server (without spoofing an IP#), how does anything in that article help? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Tina Bird (Nov 27)
- Re: Firewalls that generate new packets.. J. Oquendo (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)