IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Intrusion prevention and dDos protection

From: "Rob Shein" <shoten () starpower net>
Date: Tue, 26 Aug 2003 11:31:41 -0400
I don't understand how the cloaking would work.  It would seem to me that a
firewall that drops all inbound packets that are not part of an existing
connection is as invisible as a system that isn't online...but if you have
to run a web server or mail server or pretty much any kind of server that
accepts connections from the outside, you are suddenly visible.  Setting
rules in the firewall so that only known good addresses don't have their
packets dropped can get you the same effect, but only if you know exactly
who should be speaking to you before they try to do it.


-----Original Message-----
From: Darren Windham [mailto:dwindham () dallastelco org] 
Sent: Tuesday, August 26, 2003 11:24 AM
To: 'Paul Benedek'; 'Rob Shein'; focus-ids () securityfocus com
Subject: RE: Intrusion prevention and dDos protection


The other side to this particular product I am looking at is 
its cloaking feature.  It definately makes it very difficult 
to break into a network that you cannot map or have a good 
idea of what is behind it.  I'm also looking at it from the 
NCUA and other financial regulations since they require 
financial instutions to undergo annual pen testing.  With a 
product like this it would almost be a mute point.  You would 
still have to maintain your systems to current patch levels 
and use good practices on configuring them.




-----Original Message-----
From: Paul Benedek [mailto:paul.benedek () excis co uk]
Sent: Tuesday, August 26, 2003 11:19 AM
To: 'Rob Shein'; Darren Windham; focus-ids () securityfocus com
Subject: RE: Intrusion prevention and dDos protection


Rob,

You have a point.  There are some considerations that may be 
pertinent with regard to this issue.  Firstly as you point 
out, there are no definitive solutions.  If there were any 
definitive solutions they would almost certainly rely on good 
design practices and this is what is being advocated here.  
Any connection to the Internet should include liaison and 
design with the ISP.  Most ISP's will allow rate limiting at 
the edge within their domain if you request it.  Similarly if 
you rate limit at your edge, you control the traffic passing 
across the edge into your realm. 

In terms of dropping traffic on the edge, again a DDOS can 
overwhelm the resources dealing with incoming and outgoing 
traffic, however you can control the switching of network 
traffic and the amount of CPU interrupts called on most 
routers.  By being granular in your approach and by black 
holing non essential service specific traffic, you are less 
likely to overwhelm your own critical network resources such 
as firewalls and routers. This is done by specifying ports, 
disallowing fragmented traffic and non essential traffic like ICMP.  

Sadly my flawed assumptions require an in depth security 
solution that involves many different parties.  It is not 
ideal and only offers a limited defence against a DDOS.  The 
point being that this solution may be better than nothing and 
if it can prevent you being hit by at least one DDOS, it may 
be worth considering.

Regards


Paul Benedek
Director
Excis Networks Limited
http://www.excis.co.uk











-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: 26 August 2003 14:31
To: 'Paul Benedek'; 'Darren Windham'; focus-ids () securityfocus com
Subject: RE: Intrusion prevention and dDos protection

Even this is predicated upon a critical and flawed 
assumption, being that the pipe leading to your border router 
has more bandwidth than the pipe leading from it.  This is 
not the case; any rate limiting cannot be done by you and 
must be done by the ISP itself.  While this is possible, it 
is out of the realm of product-based solutions and goes more 
towards cooperative efforts with the ISP, which is the basis 
of all DDOS defense anyways.

Denying types of traffic at your border will be useless; 
that's like the highly aware security guard at the front 
desk.  The bad people aren't getting past him, but it's 
already too late for that to matter.


-----Original Message-----
From: Paul Benedek [mailto:paul.benedek () excis co uk]
Sent: Tuesday, August 26, 2003 5:18 AM
To: 'Rob Shein'; 'Darren Windham'; focus-ids () securityfocus com
Subject: RE: Intrusion prevention and dDos protection


Hi,

Although the analogy is correct and that a well planned DDos
attack can cause you to loose services, there are several 
things that you can do to limit the chances of success.

Firstly at your ISP edge you can introduce rate limiting.  By
limiting the amount of certain types of traffic, you can 
allow for legitimate traffic to pass.  For example if you 
have a 2 meg pipe, you can limit the amount of UDP to half a 
meg, tcp on port 80 and 443 to 1 meg and half a meg for other 
traffic.  If the traffic exceeds these values, you can force 
the traffic to be dropped.

If you are explicit with the traffic you are allowing, you
can further limit the effects of a DDOS attack.  For example 
you can deny all fragmented traffic and ICMP.  You can 
specify the hosts and ports that need connectivity with a 
high degree of granularity and drop all other traffic. 
Furthermore if you implement RFC2827 filtering you can limit 
the chances of being used as a DDOS engine yourself.

In most cases a well thought out DMZ and ISP edge can reduce
the chances of a success, however as pointed out, you will 
not get total protection.  You may however be able to keep 
critical services operational at the time of a DDOS attack.


Regards,

Paul Benedek
Director
Excis Networks Limited
http://www.excis.co.uk




-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: 23 August 2003 18:26
To: 'Darren Windham'; focus-ids () securityfocus com
Subject: RE: Intrusion prevention and dDos protection

I would hasten to point out that there isn't anything you can
buy that will give you DDos protection.  While a firewall/IPS 
is like a security guard at the entrance to a building to 
keep bad people out, a DDos attack is like so many bad people 
trying to get into the building that they choke the streets 
leading up to it; nothing you can put in your building will 
deal with that congestion or prevent it.


-----Original Message-----
From: Darren Windham [mailto:dwindham () dallastelco org]
Sent: Thursday, August 21, 2003 10:17 AM
To: focus-ids () securityfocus com
Subject: Intrusion prevention and dDos protection


I recently had the chance to meet with the guys over at 

Melior and 

talk about their iSecure platform.  Has anyone else taken 

a look at 

it?  I was pleasantly suprised at its performance.  I ran most of 
the common scanners on both Linux and Windows platforms 

and had no 

such luck with it.  I can only hope that more products like this 
make it to the mainstream marketplace.  If you are looking for a 
IPS/dDos prevention I'd make sure you take a good look at these 
guys.

I'd love to hear feedback from others who have looked at this or 
other similar products.

Check them out at http://www.meliorinc.com

Regards,

Darren Windham
Network Administrator, Dallas Telco FCU
email: dwindham () dallastelco org <mailto:dwindham () dallastelco org> 




Disclaimer: The information contained in this email is 

confidential 

and is intended solely for the use of the person 

identified as the 

recipient. If you are not the intended recipient, any disclosure, 
copying, distribution, or taking of any action in reliance on the 
contents is prohibited. If you received this email in 

error, please 

contact the sender immediately and dispose of the contents in a 
secure manner.



--------------------------------------------------------------
-------------
Attend Black Hat Briefings & Training Federal, September 29-30 
(Training), October 1-2 (Briefings) in Tysons Corner, VA; the 
worldÂ's premier technical IT security event.  Modeled after the 
famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and 
sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration 
ends September 6 Visit: www.blackhat.com
--------------------------------------------------------------
-------------





--------------------------------------------------------------
-------------
Attend Black Hat Briefings & Training Federal, September 
29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂ's premier 
technical IT security event.  Modeled after the famous Black 
Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and 
sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration 
ends September 6
Visit: www.blackhat.com
--------------------------------------------------------------
-------------








Disclaimer: The information contained in this email is 
confidential and is
intended solely for the use of the person identified as the 
recipient. If
you are not the intended recipient, any disclosure, copying, 
distribution,
or taking of any action in reliance on the contents is 
prohibited. If you
received this email in error, please contact the sender 
immediately and
dispose of the contents in a secure manner.






---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: