Re: Sessions Resource Exhaustion

On Oct 13, 2007, at 11:01 PM, Ahsan Khan wrote:

This would
create enough cushions for an administrator to react and remedy an attack.

DDoS attacks are attacks against capacity and/or against state. The most effective strategy to handle DDoS within one's own span of control (not including coordination with others, which will be necessary in the event of a serious and ongoing attack) is to design the entire system (network, hosts, apps, et. al.) in order to maximize capacity and minimize state vectors, while providing sufficient instrumentation and telemetry for visibility (such as NetFlow-based anomaly-detection), and sufficient mitigation/reaction mechanisms to assert control.

There are various reaction techniques mechanisms such as S/RTBH, QPPB, and dedicated DDoS scrubbing systems which can be used to react effectively to DDoS attacks; typically, these mechanisms instantiate little or no state in the network, do not require symmetric traffic flows (or indeed to interact with 'outbound' traffic at all, assuming the DDoS in question is an inbound one). Policy enforcement mechanisms may deliberately instantiate state as part of their operational paradigms, but that is a different application which isn't directly related to mitigating DDoS.

Roland Dobbins <rdobbins@xxxxxxxxx> // 408.527.6376 voice

I don't sound like nobody.

-- Elvis Presley

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.