Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network & Systems Cloaking Tool

From: twig les <twigles () yahoo com>
Date: Fri, 8 Nov 2002 09:53:54 -0800 (PST)
Now I'm curious.  I looked at the site, but it seems a
bit geared toward management.  Exactly how does this
box decide what traffic is legit and what isn't?  This
has been the crux of the computer security world's
problem since the get-go.  I understand the whole
do-it-in-asic part for wire speed, but the black box
thing is a tough for me to trust.  Is there a more
detailed doc about this?  Sorry to hammer you, but
this is an open-source list you're posting to.



--- Tommy <tommy () secure sh> wrote:


At 06:51 PM 11/6/2002, <hackerwacker () cybermesa com>
wrote:

No box can protect against a DoS, if it sits at the

customer end of a pipe, and the DoS is filling the
pipe. 


Hello hackerwacker,

as you know, there are two different types of DDoS
attacks:
1) flood the pipe
2) attack on application level

The bandwidth flooding DDoS attacks are fairly easy
to catch with QoS stuff (or iSecure), and should be
caught upstream if targeted against a
small-bandwidth connection. Even though iSecure also
defends against this type of attack, the key feature
is defense against application-level DDoS attacks,
and not shutting the pipe down (same effect as
DDoS), but determination which is "good" traffic
(passes), and which is "DDoS" traffic (stopped).
This application-level attack is the more
devastating, and the most difficult to combat - and
this is what iSecure does:
http://www.dos-protection.com/html/dos___ddos.html
There is a lot of money being spent on the
development of other DDoS Defense systems (~$300m so
far), and there are some in the market, all of which
according to a review by DDoS World in NW Fusion
have significant drawbacks, are hard to configure,
and/or simply do not work (such as: Sync4 crashes
the DDoS Defense system). iSecure does not require
any configuration (black box concept) and works
against all flooding and application-type DDoS
attacks as an inline scanner, successfully
eliminating DDoS attacks in real-time, while letting
"good" (desireable) traffic pass - and without
bandwidth reduction.

Its other feature is the network & systems cloaking,
which is truly unique (I know of no other system
which does that), and which in conjunction with an
IDS system can allow for more effective detection &
traces, as it forces the attacker to log all ports
in the scan range (or all 65,535) twice - while
logging all as being 'open' and then to generate the
list of "interesting ports" - i.e. the same, slowing
down the probe dramatically. This is why I wanted to
run it by the Snort community. Even NMAP can't
figure out whats behind the system. More at:
http://www.dos-protection.com/html/cloaking.html

Thanks for your time,
Thomas


Thomas J. Ackermann
Mobile: 214-403-5368

Melior, Inc. ---  Perfectionists At Work. (TM)

Internet Infrastructure & Security Architects
in  Dallas,Silicon Valley, Los Angeles, Houston, New
York, India
www.meliorinc.com
 
Tel: (888) 4 MELIOR     
Fax: (888) TO FAX US

This email is intended for the addressee only.  
The material may be privileged and may contain
confidential information.  
If you have received this email in error, please
notify Melior, Inc. immediately 
by email and delete the original.  Thank you!




=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2


-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: