IDS mailing list archives
FW: [Fwd: RE: Intrusion prevention and dDos protection]
From: mpaquette () toplayer com
Date: Wed, 27 Aug 2003 08:58:17 -0400
Hi Rob, Your point below is not totally correct. I agree with you that *IF* the entire Internet connection link is swamped with DoS traffic, then there is little you can do from the organization side to affect it, but you mistakenly assume that all DDoS attacks are successful in filling the entirety of an organization's Internet link. While that may indeed be common for attacks that take place on low-speed broadband or T1 connections, it is definitely not true for organizations with higher speed Internet connections (10M, T3, 100M, OC-3, OC-12, Gig). In any organization where their critical on-line assets (say, Web Servers) have less capacity to withstand a particular attack, say a SYN Flood, than the Internet connection has capacity to let in, a Denial of Service condition can occur without filling up the Internet pipe with DoS Traffic. For example, with just a 10Mbit/sec Internet connection, a significant SYN flood of 10,000 SYNs/sec can make even a load-balanced, multi-CPU web server crawl to its knees. In this case there is still 3+Mbit/sec of "free" bandwidth left over for legitimate requests to the web servers, but such requests will not be serviced because the servers are suffering from the attack - denial of service is achieved. Extending your analogy, think of these types of DDoS attacks not as street cloggers, but more like excess orderers. If 5 people show up at a fast food restaurant, getting to all 5 order-takers at the same time, and each takes 5 minutes asking questions and changing his mind 10 times before ordering 25 hamburgers each, the restaurant's ability to service additional customers during this time will stop well before the street gets clogged up, causing a denial of service. With a little creativity, you can probably think of lots of things you could do inside the restaurant to ensure that this does not take place. Over the past 12 months, we have seen dozens of targeted DDoS attacks, and none of them was successful in using up the entire pipe bandwidth. For these types of attacks, an organization-side attack mitigation approach can be quite effective, ensuring that legitimate transactions can complete even in the presence of high-volume SYN floods. If you're interested, contact me offline, and I'll provide you with a concrete real-life example. Thanks, Mike P. Top Layer Networks -------- Original Message -------- Subject: RE: Intrusion prevention and dDos protection Date: Sat, 23 Aug 2003 13:26:22 -0400 From: Rob Shein <shoten () starpower net> To: 'Darren Windham' <dwindham () dallastelco org>, focus-ids () securityfocus com I would hasten to point out that there isn't anything you can buy that will give you DDos protection. While a firewall/IPS is like a security guard at the entrance to a building to keep bad people out, a DDos attack is like so many bad people trying to get into the building that they choke the streets leading up to it; nothing you can put in your building will deal with that congestion or prevent it.
-----Original Message----- From: Darren Windham [mailto:dwindham () dallastelco org] Sent: Thursday, August 21, 2003 10:17 AM To: focus-ids () securityfocus com Subject: Intrusion prevention and dDos protection I recently had the chance to meet with the guys over at Melior and talk about their iSecure platform. Has anyone else taken a look at it? I was pleasantly suprised at its performance. I ran most of the common scanners on both Linux and Windows platforms and had no such luck with it. I can only hope that more products like this make it to the mainstream marketplace. If you are looking for a IPS/dDos prevention I'd make sure you take a good look at these guys. I'd love to hear feedback from others who have looked at this or other similar products. Check them out at http://www.meliorinc.com Regards, Darren Windham Network Administrator, Dallas Telco FCU email: dwindham () dallastelco org <mailto:dwindham () dallastelco org> Disclaimer: The information contained in this email is confidential and is intended solely for the use of the person identified as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you received this email in error, please contact the sender immediately and dispose of the contents in a secure manner. -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com --------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- FW: [Fwd: RE: Intrusion prevention and dDos protection] mpaquette (Aug 28)
- RE: [Fwd: RE: Intrusion prevention and dDos protection] Rob Shein (Aug 28)