FW: [Fwd: RE: Intrusion prevention and dDos protection]

mpaquette_at_toplayer.com
Date: 08/27/03

  • Next message: Zach Forsyth: "RE: Top IPS vendors - please read for invitation to Network World review."
    To: shoten@starpower.net, focus-ids@securityfocus.com
    Date: Wed, 27 Aug 2003 08:58:17 -0400
    
    

    Hi Rob,

            Your point below is not totally correct. I agree with you that *IF*
    the entire Internet connection link is swamped with DoS traffic, then there
    is little you can do from the organization side to affect it, but you
    mistakenly assume that all DDoS attacks are successful in filling the
    entirety of an organization's Internet link. While that may indeed be
    common for attacks that take place on low-speed broadband or T1 connections,
    it is definitely not true for organizations with higher speed Internet
    connections (10M, T3, 100M, OC-3, OC-12, Gig).

            In any organization where their critical on-line assets (say, Web
    Servers) have less capacity to withstand a particular attack, say a SYN
    Flood, than the Internet connection has capacity to let in, a Denial of
    Service condition can occur without filling up the Internet pipe with DoS
    Traffic. For example, with just a 10Mbit/sec Internet connection, a
    significant SYN flood of 10,000 SYNs/sec can make even a load-balanced,
    multi-CPU web server crawl to its knees. In this case there is still
    3+Mbit/sec of "free" bandwidth left over for legitimate requests to the web
    servers, but such requests will not be serviced because the servers are
    suffering from the attack - denial of service is achieved.

            Extending your analogy, think of these types of DDoS attacks not as
    street cloggers, but more like excess orderers. If 5 people show up at a
    fast food restaurant, getting to all 5 order-takers at the same time, and
    each takes 5 minutes asking questions and changing his mind 10 times before
    ordering 25 hamburgers each, the restaurant's ability to service additional
    customers during this time will stop well before the street gets clogged up,
    causing a denial of service. With a little creativity, you can probably
    think of lots of things you could do inside the restaurant to ensure that
    this does not take place.

            Over the past 12 months, we have seen dozens of targeted DDoS
    attacks, and none of them was successful in using up the entire pipe
    bandwidth. For these types of attacks, an organization-side attack
    mitigation approach can be quite effective, ensuring that legitimate
    transactions can complete even in the presence of high-volume SYN floods.
    If you're interested, contact me offline, and I'll provide you with a
    concrete real-life example.

    Thanks,
    Mike P.
    Top Layer Networks

    -------- Original Message --------
    Subject: RE: Intrusion prevention and dDos protection
    Date: Sat, 23 Aug 2003 13:26:22 -0400
    From: Rob Shein <shoten@starpower.net>
    To: 'Darren Windham' <dwindham@dallastelco.org>, focus-ids@securityfocus.com

    I would hasten to point out that there isn't anything you can buy that will
    give you DDos protection. While a firewall/IPS is like a security guard at
    the entrance to a building to keep bad people out, a DDos attack is like so
    many bad people trying to get into the building that they choke the streets
    leading up to it; nothing you can put in your building will deal with that
    congestion or prevent it.

    > -----Original Message-----
    > From: Darren Windham [mailto:dwindham@dallastelco.org]
    > Sent: Thursday, August 21, 2003 10:17 AM
    > To: focus-ids@securityfocus.com
    > Subject: Intrusion prevention and dDos protection
    >
    >
    > I recently had the chance to meet with the guys over at
    > Melior and talk about their iSecure platform. Has anyone
    > else taken a look at it? I was pleasantly suprised at its
    > performance. I ran most of the common scanners on both Linux
    > and Windows platforms and had no such luck with it. I can
    > only hope that more products like this make it to the
    > mainstream marketplace. If you are looking for a IPS/dDos
    > prevention I'd make sure you take a good look at these guys.
    >
    > I'd love to hear feedback from others who have looked at this
    > or other similar products.
    >
    > Check them out at http://www.meliorinc.com
    >
    > Regards,
    >
    > Darren Windham
    > Network Administrator, Dallas Telco FCU
    > email: dwindham@dallastelco.org <mailto:dwindham@dallastelco.org>
    >
    >
    >
    >
    > Disclaimer: The information contained in this email is
    > confidential and is intended solely for the use of the person
    > identified as the recipient. If you are not the intended
    > recipient, any disclosure, copying, distribution, or taking
    > of any action in reliance on the contents is prohibited. If
    > you received this email in error, please contact the sender
    > immediately and dispose of the contents in a secure manner.
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Attend Black Hat Briefings & Training Federal, September
    > 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,
    > VA; the worldÂ's premier
    > technical IT security event. Modeled after the famous Black
    > Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and
    > sponsors.
    > Symanetc is the Diamond sponsor. Early-bird registration
    > ends September 6 Visit: www.blackhat.com
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's
    premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September
    6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------


  • Next message: Zach Forsyth: "RE: Top IPS vendors - please read for invitation to Network World review."