RE: [Fwd: RE: Intrusion prevention and dDos protection]

From: Rob Shein (shoten_at_starpower.net)
Date: 08/27/03

  • Next message: Frank Knobbe: "RE: Intrusion prevention and dDos protection"
    To: <mpaquette@toplayer.com>, <focus-ids@securityfocus.com>
    Date: Wed, 27 Aug 2003 10:25:57 -0400
    
    

    Very good point. I was envisioning a full pipe in my example, but I see how
    in this case, proper architecture can allow an organization to respond to an
    attack and maintain some functionality. I still stand by my earlier
    statement, however, that a single product cannot truthfully claim to protect
    an organization against a DDOS, in the way earlier described.

    > -----Original Message-----
    > From: mpaquette@toplayer.com [mailto:mpaquette@toplayer.com]
    > Sent: Wednesday, August 27, 2003 8:58 AM
    > To: shoten@starpower.net; focus-ids@securityfocus.com
    > Subject: FW: [Fwd: RE: Intrusion prevention and dDos protection]
    >
    >
    > Hi Rob,
    >
    > Your point below is not totally correct. I agree with
    > you that *IF* the entire Internet connection link is swamped
    > with DoS traffic, then there is little you can do from the
    > organization side to affect it, but you mistakenly assume
    > that all DDoS attacks are successful in filling the entirety
    > of an organization's Internet link. While that may indeed be
    > common for attacks that take place on low-speed broadband or
    > T1 connections, it is definitely not true for organizations
    > with higher speed Internet connections (10M, T3, 100M, OC-3,
    > OC-12, Gig).
    >
    > In any organization where their critical on-line assets
    > (say, Web
    > Servers) have less capacity to withstand a particular attack,
    > say a SYN Flood, than the Internet connection has capacity to
    > let in, a Denial of Service condition can occur without
    > filling up the Internet pipe with DoS Traffic. For example,
    > with just a 10Mbit/sec Internet connection, a significant SYN
    > flood of 10,000 SYNs/sec can make even a load-balanced,
    > multi-CPU web server crawl to its knees. In this case there is still
    > 3+Mbit/sec of "free" bandwidth left over for legitimate
    > requests to the
    > 3+web
    > servers, but such requests will not be serviced because the
    > servers are suffering from the attack - denial of service is achieved.
    >
    > Extending your analogy, think of these types of DDoS
    > attacks not as street cloggers, but more like excess
    > orderers. If 5 people show up at a fast food restaurant,
    > getting to all 5 order-takers at the same time, and each
    > takes 5 minutes asking questions and changing his mind 10
    > times before ordering 25 hamburgers each, the restaurant's
    > ability to service additional customers during this time will
    > stop well before the street gets clogged up, causing a denial
    > of service. With a little creativity, you can probably think
    > of lots of things you could do inside the restaurant to
    > ensure that this does not take place.
    >
    > Over the past 12 months, we have seen dozens of
    > targeted DDoS attacks, and none of them was successful in
    > using up the entire pipe bandwidth. For these types of
    > attacks, an organization-side attack mitigation approach can
    > be quite effective, ensuring that legitimate transactions can
    > complete even in the presence of high-volume SYN floods. If
    > you're interested, contact me offline, and I'll provide you
    > with a concrete real-life example.
    >
    > Thanks,
    > Mike P.
    > Top Layer Networks
    >
    > -------- Original Message --------
    > Subject: RE: Intrusion prevention and dDos protection
    > Date: Sat, 23 Aug 2003 13:26:22 -0400
    > From: Rob Shein <shoten@starpower.net>
    > To: 'Darren Windham' <dwindham@dallastelco.org>,
    > focus-ids@securityfocus.com
    >
    > I would hasten to point out that there isn't anything you can
    > buy that will give you DDos protection. While a firewall/IPS
    > is like a security guard at the entrance to a building to
    > keep bad people out, a DDos attack is like so many bad people
    > trying to get into the building that they choke the streets
    > leading up to it; nothing you can put in your building will
    > deal with that congestion or prevent it.
    >
    > > -----Original Message-----
    > > From: Darren Windham [mailto:dwindham@dallastelco.org]
    > > Sent: Thursday, August 21, 2003 10:17 AM
    > > To: focus-ids@securityfocus.com
    > > Subject: Intrusion prevention and dDos protection
    > >
    > >
    > > I recently had the chance to meet with the guys over at
    > > Melior and talk about their iSecure platform. Has anyone
    > > else taken a look at it? I was pleasantly suprised at its
    > > performance. I ran most of the common scanners on both
    > Linux > and Windows platforms and had no such luck with it.
    > I can > only hope that more products like this make it to
    > the > mainstream marketplace. If you are looking for a
    > IPS/dDos > prevention I'd make sure you take a good look at
    > these guys. > > I'd love to hear feedback from others who
    > have looked at this > or other similar products. > > Check
    > them out at http://www.meliorinc.com > > > Regards, > >
    > Darren Windham > Network Administrator, Dallas Telco FCU >
    > email: dwindham@dallastelco.org
    <mailto:dwindham@dallastelco.org> > > > > > Disclaimer: The information
    contained in this email is > confidential and is intended solely for the
    use of the person > identified as the recipient. If you are not the
    intended > recipient, any disclosure, copying, distribution, or taking >
    of any action in reliance on the contents is prohibited. If > you received
    this email in error, please contact the sender > immediately and dispose of
    the contents in a secure manner. > > > >
    --------------------------------------------------------------
    > -------------
    > Attend Black Hat Briefings & Training Federal, September
    > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, > VA; the
    worldÂ's premier > technical IT security event. Modeled after the famous
    Black > Hat event in > Las Vegas! 6 tracks, 12 training sessions, top
    speakers and > sponsors. > Symanetc is the Diamond sponsor. Early-bird
    registration > ends September 6 Visit: www.blackhat.com >
    --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's
    premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September
    6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------


  • Next message: Frank Knobbe: "RE: Intrusion prevention and dDos protection"

    Relevant Pages

    • RE: ICMP (Ping)
      ... they will apparently attack the IP they didn't check to see if ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: DoS "Probing" on one of our hosts
      ... had students here do the file sharing thing .. ... a pretty good indicator for an attack. ... world's premier technical IT security event! ... Early-bird registration ends July 3. ...
      (Incidents)
    • RE: ICMP (Ping)
      ... they will apparently attack the IP they didn't check to see if ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • Re: ICMP (Ping)
      ... They will randomly attack it anyway. ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • Re: DoS "Probing" on one of our hosts
      ... Harlan Carvey wrote: ... a pretty good indicator for an attack. ... world's premier technical IT security event! ...
      (Incidents)