FW: [Fwd: RE: Intrusion prevention and dDos protection]

[mpaquette () toplayer com]

Hi Rob,

        Your point below is not totally correct. I agree with you that *IF*
the entire Internet connection link is swamped with DoS traffic, then there
is little you can do from the organization side to affect it, but you
mistakenly assume that all DDoS attacks are successful in filling the
entirety of an organization's Internet link.  While that may indeed be
common for attacks that take place on low-speed broadband or T1 connections,
it is definitely not true for organizations with higher speed Internet
connections (10M, T3, 100M, OC-3, OC-12, Gig).  

        In any organization where their critical on-line assets (say, Web
Servers) have less capacity to withstand a particular attack, say a SYN
Flood, than the Internet connection has capacity to let in, a Denial of
Service condition can occur without filling up the Internet pipe with DoS
Traffic.  For example, with just a 10Mbit/sec Internet connection, a
significant SYN flood of 10,000 SYNs/sec can make even a load-balanced,
multi-CPU web server crawl to its knees.  In this case there is still
3+Mbit/sec of "free" bandwidth left over for legitimate requests to the web
servers, but such requests will not be serviced because the servers are
suffering from the attack - denial of service is achieved.

        Extending your analogy, think of these types of DDoS attacks not as
street cloggers, but more like excess orderers.  If 5 people show up at a
fast food restaurant, getting to all 5 order-takers at the same time, and
each takes 5 minutes asking questions and changing his mind 10 times before
ordering 25 hamburgers each, the restaurant's ability to service additional
customers during this time will stop well before the street gets clogged up,
causing a denial of service.  With a little creativity, you can probably
think of lots of things you could do inside the restaurant to ensure that
this does not take place.

        Over the past 12 months, we have seen dozens of targeted DDoS
attacks, and none of them was successful in using up the entire pipe
bandwidth.  For these types of attacks, an organization-side attack
mitigation approach can be quite effective, ensuring that legitimate
transactions can complete even in the presence of high-volume SYN floods.
If you're interested, contact me offline, and I'll provide you with a
concrete real-life example.

Thanks,
Mike P.
Top Layer Networks

-------- Original Message --------
Subject: RE: Intrusion prevention and dDos protection
Date: Sat, 23 Aug 2003 13:26:22 -0400
From: Rob Shein <shoten () starpower net>
To: 'Darren Windham' <dwindham () dallastelco org>, focus-ids () securityfocus com

I would hasten to point out that there isn't anything you can buy that will
give you DDos protection.  While a firewall/IPS is like a security guard at
the entrance to a building to keep bad people out, a DDos attack is like so
many bad people trying to get into the building that they choke the streets
leading up to it; nothing you can put in your building will deal with that
congestion or prevent it.

> -----Original Message-----
> From: Darren Windham [mailto:dwindham () dallastelco org]
> Sent: Thursday, August 21, 2003 10:17 AM
> To: focus-ids () securityfocus com
> Subject: Intrusion prevention and dDos protection
>
>
> I recently had the chance to meet with the guys over at
> Melior and talk about their iSecure platform.  Has anyone
> else taken a look at it?  I was pleasantly suprised at its
> performance.  I ran most of the common scanners on both Linux
> and Windows platforms and had no such luck with it.  I can
> only hope that more products like this make it to the
> mainstream marketplace.  If you are looking for a IPS/dDos
> prevention I'd make sure you take a good look at these guys.
>
> I'd love to hear feedback from others who have looked at this
> or other similar products.
>
> Check them out at http://www.meliorinc.com
>
> Regards,
>
> Darren Windham
> Network Administrator, Dallas Telco FCU
> email: dwindham () dallastelco org <mailto:dwindham () dallastelco org>
>
>
>
>
> Disclaimer: The information contained in this email is
> confidential and is intended solely for the use of the person
> identified as the recipient. If you are not the intended
> recipient, any disclosure, copying, distribution, or taking
> of any action in reliance on the contents is prohibited. If
> you received this email in error, please contact the sender
> immediately and dispose of the contents in a secure manner.
>
>
>
> --------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September
> 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
> VA; the worldÂ's premier
> technical IT security event.  Modeled after the famous Black
> Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and
> sponsors.
> Symanetc is the Diamond sponsor.  Early-bird registration
> ends September 6 Visit: www.blackhat.com
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 
(Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's 
premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 
6 Visit: www.blackhat.com
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------