IDS mailing list archives
RE: DDOS Bot Blacklist
From: "Andy Cuff" <lists () securitywizardry com>
Date: Mon, 15 Nov 2004 19:31:53 -0000
Hi Rob, Thank you for your response For the larger more complex attacks you are right, though many end networks (non-ISP) can withstand a surprisingly high volume of attack either through their Attack Mitigation Systems (upstream of the firewall) or Increasing the size of their pipe, ideally both. I'm going to revisit my list of Attack Mitigation Systems and Network Intrusion Prevention Systems next week. It's all related to the project I'm working on, but I didn't want to spam the list with a barrage of emails simultaneously. Regards -andy cuff The Talisker Network Security Portal http://securitywizardry.com Computer Network Defence Ltd -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: 15 November 2004 05:37 To: 'Andy Cuff'; focus-ids () securityfocus com Subject: RE: DDOS Bot Blacklist The further question that comes to my mind is who would enforce blocking based on this list? It seems to me that if the subscribers to the list were anything other than ISPs, there would be little point to it. By the time you're blocking at your firewall, the DDoS traffic has already consumed what bandwidth it was meant to consume. And this is, of course, in addition to your concerns about DHCP addressing and spoofed source addresses.
-----Original Message----- From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Sunday, November 14, 2004 5:27 PM To: focus-ids () securityfocus com Subject: DDOS Bot Blacklist Hi, I was wondering if anyone had looked into the creation of a blacklist for DDOS bots? There are obvious concerns; firstly, where the source may be spoofed, though most of the Attack Mitigation Systems should deal with stateless attacks and secondly, with so many of the bots originating from DHCP scopes, many bots this could be overcome by rapid aging of the addresses or only including addresses used more than once indicating a long term address lease in the scope. Regards -andy cuff The Talisker Network Security Portal http://securitywizardry.com Computer Network Defence Ltd --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004 -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
0708 to learn more. -------------------------------------------------------------------------- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- DDOS Bot Blacklist Andy Cuff (Nov 14)
- RE: DDOS Bot Blacklist Rob Shein (Nov 15)
- Re: DDOS Bot Blacklist Kevin (Nov 16)
- RE: DDOS Bot Blacklist Andy Cuff (Nov 17)
- RE: DDOS Bot Blacklist Rob Shein (Nov 15)