IDS mailing list archives
RE: Intrusion prevention and dDos protection
From: kgeorgiades () toplayer com
Date: Thu, 28 Aug 2003 09:12:18 -0400
An appliance that handles IPS with excellent DDos functionality is the Top Layer AM IPS http://www.toplayer.com/content/products/intrusion_detection/attack_mitigato r.jsp It fits perfectly in environments with slow firewall. There are hundreds of customers using it. Note: I work for Top Layer. Ken Georgiades -----Original Message----- From: Paul Benedek [mailto:paul.benedek () excis co uk] Sent: Tuesday, August 26, 2003 12:19 PM To: 'Rob Shein'; 'Darren Windham'; focus-ids () securityfocus com Subject: RE: Intrusion prevention and dDos protection Rob, You have a point. There are some considerations that may be pertinent with regard to this issue. Firstly as you point out, there are no definitive solutions. If there were any definitive solutions they would almost certainly rely on good design practices and this is what is being advocated here. Any connection to the Internet should include liaison and design with the ISP. Most ISP's will allow rate limiting at the edge within their domain if you request it. Similarly if you rate limit at your edge, you control the traffic passing across the edge into your realm. In terms of dropping traffic on the edge, again a DDOS can overwhelm the resources dealing with incoming and outgoing traffic, however you can control the switching of network traffic and the amount of CPU interrupts called on most routers. By being granular in your approach and by black holing non essential service specific traffic, you are less likely to overwhelm your own critical network resources such as firewalls and routers. This is done by specifying ports, disallowing fragmented traffic and non essential traffic like ICMP. Sadly my flawed assumptions require an in depth security solution that involves many different parties. It is not ideal and only offers a limited defence against a DDOS. The point being that this solution may be better than nothing and if it can prevent you being hit by at least one DDOS, it may be worth considering. Regards Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: 26 August 2003 14:31 To: 'Paul Benedek'; 'Darren Windham'; focus-ids () securityfocus com Subject: RE: Intrusion prevention and dDos protection Even this is predicated upon a critical and flawed assumption, being that the pipe leading to your border router has more bandwidth than the pipe leading from it. This is not the case; any rate limiting cannot be done by you and must be done by the ISP itself. While this is possible, it is out of the realm of product-based solutions and goes more towards cooperative efforts with the ISP, which is the basis of all DDOS defense anyways. Denying types of traffic at your border will be useless; that's like the highly aware security guard at the front desk. The bad people aren't getting past him, but it's already too late for that to matter.
-----Original Message----- From: Paul Benedek [mailto:paul.benedek () excis co uk] Sent: Tuesday, August 26, 2003 5:18 AM To: 'Rob Shein'; 'Darren Windham'; focus-ids () securityfocus com Subject: RE: Intrusion prevention and dDos protection Hi, Although the analogy is correct and that a well planned DDos attack can cause you to loose services, there are several things that you can do to limit the chances of success. Firstly at your ISP edge you can introduce rate limiting. By limiting the amount of certain types of traffic, you can allow for legitimate traffic to pass. For example if you have a 2 meg pipe, you can limit the amount of UDP to half a meg, tcp on port 80 and 443 to 1 meg and half a meg for other traffic. If the traffic exceeds these values, you can force the traffic to be dropped. If you are explicit with the traffic you are allowing, you can further limit the effects of a DDOS attack. For example you can deny all fragmented traffic and ICMP. You can specify the hosts and ports that need connectivity with a high degree of granularity and drop all other traffic. Furthermore if you implement RFC2827 filtering you can limit the chances of being used as a DDOS engine yourself. In most cases a well thought out DMZ and ISP edge can reduce the chances of a success, however as pointed out, you will not get total protection. You may however be able to keep critical services operational at the time of a DDOS attack. Regards, Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: 23 August 2003 18:26 To: 'Darren Windham'; focus-ids () securityfocus com Subject: RE: Intrusion prevention and dDos protection I would hasten to point out that there isn't anything you can buy that will give you DDos protection. While a firewall/IPS is like a security guard at the entrance to a building to keep bad people out, a DDos attack is like so many bad people trying to get into the building that they choke the streets leading up to it; nothing you can put in your building will deal with that congestion or prevent it.-----Original Message----- From: Darren Windham [mailto:dwindham () dallastelco org] Sent: Thursday, August 21, 2003 10:17 AM To: focus-ids () securityfocus com Subject: Intrusion prevention and dDos protection I recently had the chance to meet with the guys over at Melior and talk about their iSecure platform. Has anyone else taken a look at it? I was pleasantly suprised at its performance. I ran most of the common scanners on both Linux and Windows platforms and had no such luck with it. I can only hope that more products like this make it to the mainstream marketplace. If you are looking for a IPS/dDos prevention I'd make sure you take a good look at these guys. I'd love to hear feedback from others who have looked at this or other similar products. Check them out at http://www.meliorinc.com Regards, Darren Windham Network Administrator, Dallas Telco FCU email: dwindham () dallastelco org <mailto:dwindham () dallastelco org> Disclaimer: The information contained in this email is confidential and is intended solely for the use of the person identified as the recipient. If you are not the intended recipient, any disclosure, copying, distribution, or taking of any action in reliance on the contents is prohibited. If you received this email in error, please contact the sender immediately and dispose of the contents in a secure manner. -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com -------------------------------------------------------------- --------------------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com --------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- Intrusion prevention and dDos protection Darren Windham (Aug 21)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 25)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 25)
- <Possible follow-ups>
- RE: Intrusion prevention and dDos protection Darren Windham (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection Frank Knobbe (Aug 28)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection kgeorgiades (Aug 28)