RE: [Fwd: RE: Intrusion prevention and dDos protection]

• Previous message: Frank Knobbe: "RE: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <mpaquette@toplayer.com>, <focus-ids@securityfocus.com>
Date: Wed, 27 Aug 2003 10:25:57 -0400

Very good point. I was envisioning a full pipe in my example, but I see how
in this case, proper architecture can allow an organization to respond to an
attack and maintain some functionality. I still stand by my earlier
statement, however, that a single product cannot truthfully claim to protect
an organization against a DDOS, in the way earlier described.

> -----Original Message-----
> From: mpaquette@toplayer.com [mailto:mpaquette@toplayer.com]
> Sent: Wednesday, August 27, 2003 8:58 AM
> To: shoten@starpower.net; focus-ids@securityfocus.com
> Subject: FW: [Fwd: RE: Intrusion prevention and dDos protection]
>
>
> Hi Rob,
>
> Your point below is not totally correct. I agree with
> you that *IF* the entire Internet connection link is swamped
> with DoS traffic, then there is little you can do from the
> organization side to affect it, but you mistakenly assume
> that all DDoS attacks are successful in filling the entirety
> of an organization's Internet link. While that may indeed be
> common for attacks that take place on low-speed broadband or
> T1 connections, it is definitely not true for organizations
> with higher speed Internet connections (10M, T3, 100M, OC-3,
> OC-12, Gig).
>
> In any organization where their critical on-line assets
> (say, Web
> Servers) have less capacity to withstand a particular attack,
> say a SYN Flood, than the Internet connection has capacity to
> let in, a Denial of Service condition can occur without
> filling up the Internet pipe with DoS Traffic. For example,
> with just a 10Mbit/sec Internet connection, a significant SYN
> flood of 10,000 SYNs/sec can make even a load-balanced,
> multi-CPU web server crawl to its knees. In this case there is still
> 3+Mbit/sec of "free" bandwidth left over for legitimate
> requests to the
> 3+web
> servers, but such requests will not be serviced because the
> servers are suffering from the attack - denial of service is achieved.
>
> Extending your analogy, think of these types of DDoS
> attacks not as street cloggers, but more like excess
> orderers. If 5 people show up at a fast food restaurant,
> getting to all 5 order-takers at the same time, and each
> takes 5 minutes asking questions and changing his mind 10
> times before ordering 25 hamburgers each, the restaurant's
> ability to service additional customers during this time will
> stop well before the street gets clogged up, causing a denial
> of service. With a little creativity, you can probably think
> of lots of things you could do inside the restaurant to
> ensure that this does not take place.
>
> Over the past 12 months, we have seen dozens of
> targeted DDoS attacks, and none of them was successful in
> using up the entire pipe bandwidth. For these types of
> attacks, an organization-side attack mitigation approach can
> be quite effective, ensuring that legitimate transactions can
> complete even in the presence of high-volume SYN floods. If
> you're interested, contact me offline, and I'll provide you
> with a concrete real-life example.
>
> Thanks,
> Mike P.
> Top Layer Networks
>
> -------- Original Message --------
> Subject: RE: Intrusion prevention and dDos protection
> Date: Sat, 23 Aug 2003 13:26:22 -0400
> From: Rob Shein <shoten@starpower.net>
> To: 'Darren Windham' <dwindham@dallastelco.org>,
> focus-ids@securityfocus.com
>
> I would hasten to point out that there isn't anything you can
> buy that will give you DDos protection. While a firewall/IPS
> is like a security guard at the entrance to a building to
> keep bad people out, a DDos attack is like so many bad people
> trying to get into the building that they choke the streets
> leading up to it; nothing you can put in your building will
> deal with that congestion or prevent it.
>
> > -----Original Message-----
> > From: Darren Windham [mailto:dwindham@dallastelco.org]
> > Sent: Thursday, August 21, 2003 10:17 AM
> > To: focus-ids@securityfocus.com
> > Subject: Intrusion prevention and dDos protection
> >
> >
> > I recently had the chance to meet with the guys over at
> > Melior and talk about their iSecure platform. Has anyone
> > else taken a look at it? I was pleasantly suprised at its
> > performance. I ran most of the common scanners on both
> Linux > and Windows platforms and had no such luck with it.
> I can > only hope that more products like this make it to
> the > mainstream marketplace. If you are looking for a
> IPS/dDos > prevention I'd make sure you take a good look at
> these guys. > > I'd love to hear feedback from others who
> have looked at this > or other similar products. > > Check
> them out at http://www.meliorinc.com > > > Regards, > >
> Darren Windham > Network Administrator, Dallas Telco FCU >
> email: dwindham@dallastelco.org
<mailto:dwindham@dallastelco.org> > > > > > Disclaimer: The information
contained in this email is > confidential and is intended solely for the
use of the person > identified as the recipient. If you are not the
intended > recipient, any disclosure, copying, distribution, or taking >
of any action in reliance on the contents is prohibited. If > you received
this email in error, please contact the sender > immediately and dispose of
the contents in a secure manner. > > > >
--------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September
> 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, > VA; the
worldÂ's premier > technical IT security event. Modeled after the famous
Black > Hat event in > Las Vegas! 6 tracks, 12 training sessions, top
speakers and > sponsors. > Symanetc is the Diamond sponsor. Early-bird
registration > ends September 6 Visit: www.blackhat.com >
--------------------------------------------------------------
> -------------
>
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's
premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September
6 Visit: www.blackhat.com
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ’s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

• Previous message: Frank Knobbe: "RE: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]