RE: Intrusion prevention and dDos protection

From: Paul Benedek (paul.benedek_at_excis.co.uk)
Date: 08/26/03

  • Next message: Zach Forsyth: "RE: Network IDS"
    To: "'Rob Shein'" <shoten@starpower.net>, "'Darren Windham'" <dwindham@dallastelco.org>, <focus-ids@securityfocus.com>
    Date: Tue, 26 Aug 2003 10:17:46 +0100
    
    

    Hi,

    Although the analogy is correct and that a well planned DDos attack can
    cause you to loose services, there are several things that you can do to
    limit the chances of success.

    Firstly at your ISP edge you can introduce rate limiting. By limiting the
    amount of certain types of traffic, you can allow for legitimate traffic to
    pass. For example if you have a 2 meg pipe, you can limit the amount of UDP
    to half a meg, tcp on port 80 and 443 to 1 meg and half a meg for other
    traffic. If the traffic exceeds these values, you can force the traffic to
    be dropped.

    If you are explicit with the traffic you are allowing, you can further limit
    the effects of a DDOS attack. For example you can deny all fragmented
    traffic and ICMP. You can specify the hosts and ports that need
    connectivity with a high degree of granularity and drop all other traffic.
    Furthermore if you implement RFC2827 filtering you can limit the chances of
    being used as a DDOS engine yourself.

    In most cases a well thought out DMZ and ISP edge can reduce the chances of
    a success, however as pointed out, you will not get total protection. You
    may however be able to keep critical services operational at the time of a
    DDOS attack.

    Regards,

    Paul Benedek
    Director
    Excis Networks Limited
    http://www.excis.co.uk

    -----Original Message-----
    From: Rob Shein [mailto:shoten@starpower.net]
    Sent: 23 August 2003 18:26
    To: 'Darren Windham'; focus-ids@securityfocus.com
    Subject: RE: Intrusion prevention and dDos protection

    I would hasten to point out that there isn't anything you can buy that will
    give you DDos protection. While a firewall/IPS is like a security guard at
    the entrance to a building to keep bad people out, a DDos attack is like so
    many bad people trying to get into the building that they choke the streets
    leading up to it; nothing you can put in your building will deal with that
    congestion or prevent it.

    > -----Original Message-----
    > From: Darren Windham [mailto:dwindham@dallastelco.org]
    > Sent: Thursday, August 21, 2003 10:17 AM
    > To: focus-ids@securityfocus.com
    > Subject: Intrusion prevention and dDos protection
    >
    >
    > I recently had the chance to meet with the guys over at
    > Melior and talk about their iSecure platform. Has anyone
    > else taken a look at it? I was pleasantly suprised at its
    > performance. I ran most of the common scanners on both Linux
    > and Windows platforms and had no such luck with it. I can
    > only hope that more products like this make it to the
    > mainstream marketplace. If you are looking for a IPS/dDos
    > prevention I'd make sure you take a good look at these guys.
    >
    > I'd love to hear feedback from others who have looked at this
    > or other similar products.
    >
    > Check them out at http://www.meliorinc.com
    >
    > Regards,
    >
    > Darren Windham
    > Network Administrator, Dallas Telco FCU
    > email: dwindham@dallastelco.org <mailto:dwindham@dallastelco.org>
    >
    >
    >
    >
    > Disclaimer: The information contained in this email is
    > confidential and is intended solely for the use of the person
    > identified as the recipient. If you are not the intended
    > recipient, any disclosure, copying, distribution, or taking
    > of any action in reliance on the contents is prohibited. If
    > you received this email in error, please contact the sender
    > immediately and dispose of the contents in a secure manner.
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Attend Black Hat Briefings & Training Federal, September
    > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
    > VA; the world’s premier
    > technical IT security event. Modeled after the famous Black
    > Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and
    > sponsors.
    > Symanetc is the Diamond sponsor. Early-bird registration
    > ends September 6 Visit: www.blackhat.com
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6
    Visit: www.blackhat.com
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------


  • Next message: Zach Forsyth: "RE: Network IDS"

    Relevant Pages

    • RE: Physical Computer Location
      ... > Maybe the doctor needs a new machine more than the secretary. ... > technical IT security event. ... > Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, ...
      (Security-Basics)
    • RE: Freeware Antivirus
      ... |technical IT security event. ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Hunting for Mr Badmouth
      ... The court order to Yahoo. ... > technical IT security event. ... > Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: Sobig.F style email with no attachments
      ... > technical IT security event. ... > Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Incidents)
    • RE: DMZ design
      ... > had bout DMZ ... > technical IT security event. ... > Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)