Re: RE: IPS - Cisco vs. McAfee vs. Tippingpoint - Tried Arbor and Top Layer?

[Joel Esler <jesler () sourcefire com>]

The proper way to handle it is inside the application itself. Or an
app firewall for this use case.

On Wednesday, July 29, 2009, Augusto Pereyra <aepereyra () gmail com> wrote:
> This type of attack (DDOS) is really difficult to stop if the attacker
> becomes from different ip address and just make a GET of the
> index.html for example.
>
> How you can differentiate a real user from a bot ?
>
> I think this is impossible.
>
> If the IPS block this activity it will deny the access  to the web
> page for legitimate users
> If the IPS allow this activity the bandwidth will be consumed.
>
> Augusto Pereyra
> CISSP - CEH
>
> On Wed, Jul 29, 2009 at 4:15 PM, <jfarley () hush com> wrote:
> > Hi,
> >
> > > i need to protect a "realtime" website with an >inline IPS from (D)DOS attacks.
> >
> > I'd keep in mind that the latest DDoS attacks are not limited to HTTP-based floods and use a variety of DDoS vectors 
> > to bring your website down. For instance, the DDoS from the Korean botnet - 
> > http://www.networkworld.com/news/2009/071009-korea-ddos-virus-mission-shifts.html - involved sending normal HTTP 
> > queries asking for an index page, SYN floods, UDP floods, IP proto floods etc. So the vendor probably needs to 
> > provide more comprehensive DDoS protection, not just HTTP flood protection.
> >
> > > My dream appliance would be able to run like in a 7 day learning mode which
> > > counts max new sessions per second, max sessions per client aso. After this 7
> > > days it creates a filter with +x% of the learned values and sets these limits
> > > active.
> >
> > I believe either Arbor Peakflow or Top Layer IPS 5500 do what you described and much more for DDoS. In our 
> > experience, Arbor is a little better at botnet protection and Top Layer is at DDoS and file-based attack protection. 
> > Both have pretty comprehensive security protection as well - MS vulnerabilities, attachments etc. Cisco and ISS are 
> > good, too, but not as flexible when it comes to DDoS analysis and support.
> >
> > -JF
> >
> > -----------------------------------------------------------------
> > Securing Your Online Data Transfer with SSL.
> > A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL 
> > certificate on your web server, you can securely collect sensitive information online, and increase business by 
> > giving your customers confidence that their transactions are safe.
> > http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL 
> certificate on your web server, you can securely collect sensitive information online, and increase business by 
> giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194