RE: Intrusion prevention and dDos protection

From: Rob Shein (shoten_at_starpower.net)
Date: 08/26/03

  • Next message: Andrew Plato: "Re: Top IPS vendors - please read for invitation to Network World review." 
    To: "'Paul Benedek'" <paul.benedek@excis.co.uk>, "'Darren Windham'" <dwindham@dallastelco.org>, <focus-ids@securityfocus.com>
Date: Tue, 26 Aug 2003 09:31:27 -0400

    Even this is predicated upon a critical and flawed assumption, being that
    the pipe leading to your border router has more bandwidth than the pipe
    leading from it. This is not the case; any rate limiting cannot be done by
    you and must be done by the ISP itself. While this is possible, it is out
    of the realm of product-based solutions and goes more towards cooperative
    efforts with the ISP, which is the basis of all DDOS defense anyways.

    Denying types of traffic at your border will be useless; that's like the
    highly aware security guard at the front desk. The bad people aren't
    getting past him, but it's already too late for that to matter.

    > -----Original Message-----
    > From: Paul Benedek [mailto:paul.benedek@excis.co.uk]
    > Sent: Tuesday, August 26, 2003 5:18 AM
    > To: 'Rob Shein'; 'Darren Windham'; focus-ids@securityfocus.com
    > Subject: RE: Intrusion prevention and dDos protection
    >
    >
    > Hi,
    >
    > Although the analogy is correct and that a well planned DDos
    > attack can cause you to loose services, there are several
    > things that you can do to limit the chances of success.
    >
    > Firstly at your ISP edge you can introduce rate limiting. By
    > limiting the amount of certain types of traffic, you can
    > allow for legitimate traffic to pass. For example if you
    > have a 2 meg pipe, you can limit the amount of UDP to half a
    > meg, tcp on port 80 and 443 to 1 meg and half a meg for other
    > traffic. If the traffic exceeds these values, you can force
    > the traffic to be dropped.
    >
    > If you are explicit with the traffic you are allowing, you
    > can further limit the effects of a DDOS attack. For example
    > you can deny all fragmented traffic and ICMP. You can
    > specify the hosts and ports that need connectivity with a
    > high degree of granularity and drop all other traffic.
    > Furthermore if you implement RFC2827 filtering you can limit
    > the chances of being used as a DDOS engine yourself.
    >
    > In most cases a well thought out DMZ and ISP edge can reduce
    > the chances of a success, however as pointed out, you will
    > not get total protection. You may however be able to keep
    > critical services operational at the time of a DDOS attack.
    >
    >
    > Regards,
    >
    > Paul Benedek
    > Director
    > Excis Networks Limited
    > http://www.excis.co.uk
    >
    >
    >
    >
    > -----Original Message-----
    > From: Rob Shein [mailto:shoten@starpower.net]
    > Sent: 23 August 2003 18:26
    > To: 'Darren Windham'; focus-ids@securityfocus.com
    > Subject: RE: Intrusion prevention and dDos protection
    >
    > I would hasten to point out that there isn't anything you can
    > buy that will give you DDos protection. While a firewall/IPS
    > is like a security guard at the entrance to a building to
    > keep bad people out, a DDos attack is like so many bad people
    > trying to get into the building that they choke the streets
    > leading up to it; nothing you can put in your building will
    > deal with that congestion or prevent it.
    >
    > > -----Original Message-----
    > > From: Darren Windham [mailto:dwindham@dallastelco.org]
    > > Sent: Thursday, August 21, 2003 10:17 AM
    > > To: focus-ids@securityfocus.com
    > > Subject: Intrusion prevention and dDos protection
    > >
    > >
    > > I recently had the chance to meet with the guys over at
    > > Melior and talk about their iSecure platform. Has anyone
    > > else taken a look at it? I was pleasantly suprised at its
    > > performance. I ran most of the common scanners on both Linux
    > > and Windows platforms and had no such luck with it. I can
    > > only hope that more products like this make it to the
    > > mainstream marketplace. If you are looking for a IPS/dDos
    > > prevention I'd make sure you take a good look at these guys.
    > >
    > > I'd love to hear feedback from others who have looked at this
    > > or other similar products.
    > >
    > > Check them out at http://www.meliorinc.com
    > >
    > > Regards,
    > >
    > > Darren Windham
    > > Network Administrator, Dallas Telco FCU
    > > email: dwindham@dallastelco.org <mailto:dwindham@dallastelco.org>
    > >
    > >
    > >
    > >
    > > Disclaimer: The information contained in this email is
    > > confidential and is intended solely for the use of the person
    > > identified as the recipient. If you are not the intended
    > > recipient, any disclosure, copying, distribution, or taking
    > > of any action in reliance on the contents is prohibited. If
    > > you received this email in error, please contact the sender
    > > immediately and dispose of the contents in a secure manner.
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > Attend Black Hat Briefings & Training Federal, September
    > > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
    > > VA; the world’s premier
    > > technical IT security event. Modeled after the famous Black
    > > Hat event in
    > > Las Vegas! 6 tracks, 12 training sessions, top speakers and
    > > sponsors.
    > > Symanetc is the Diamond sponsor. Early-bird registration
    > > ends September 6 Visit: www.blackhat.com
    > > --------------------------------------------------------------
    > > -------------
    > >
    > >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Attend Black Hat Briefings & Training Federal, September
    > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
    > VA; the world’s premier
    > technical IT security event. Modeled after the famous Black
    > Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and
    > sponsors.
    > Symanetc is the Diamond sponsor. Early-bird registration
    > ends September 6
    > Visit: www.blackhat.com
    > --------------------------------------------------------------
    > -------------
    >
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

  • Next message: Andrew Plato: "Re: Top IPS vendors - please read for invitation to Network World review."

    Relevant Pages

    • RE: Intrusion prevention and dDos protection
      ... In terms of dropping traffic on the edge, again a DDOS can overwhelm the ... Regards ... >> technical IT security event. ... >> sponsors. ...
      (Focus-IDS)
    • RE: Intrusion prevention and dDos protection
      ... In terms of dropping traffic on the edge, again a DDOS can overwhelm the ... control the switching of network traffic and the amount of CPU interrupts ... >> technical IT security event. ... >> sponsors. ...
      (Focus-IDS)
    • RE: Intrusion prevention and dDos protection
      ... An appliance that handles IPS with excellent DDos functionality is the Top ... >> technical IT security event. ... Modeled after the famous Black ... >> sponsors. ...
      (Focus-IDS)