Re: Sessions Resource Exhaustion

[Roland Dobbins <rdobbins () cisco com>]

On Oct 13, 2007, at 11:01 PM, Ahsan Khan wrote:

>  This would
> create enough cushions for an administrator to react and remedy an  
> attack.

DDoS attacks are attacks against capacity and/or against state.  The  
most effective strategy to handle DDoS within one's own span of  
control (not including coordination with others, which will be  
necessary in the event of a serious and ongoing attack) is to design  
the entire system (network, hosts, apps, et. al.) in order to  
maximize capacity and minimize state vectors, while providing  
sufficient instrumentation and telemetry for visibility (such as  
NetFlow-based anomaly-detection), and sufficient mitigation/reaction  
mechanisms to assert control.

There are various reaction techniques mechanisms such as S/RTBH,  
QPPB, and dedicated DDoS scrubbing systems which can be used to react  
effectively to DDoS attacks; typically, these mechanisms instantiate  
little or no state in the network, do not require symmetric traffic  
flows (or indeed to interact with 'outbound' traffic at all, assuming  
the DDoS in question is an inbound one).   Policy enforcement  
mechanisms may deliberately instantiate state as part of their  
operational paradigms, but that is a different application which  
isn't directly related to mitigating DDoS.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

           I don't sound like nobody.

               -- Elvis Presley


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------