Re: Sessions Resource Exhaustion




On Oct 13, 2007, at 11:01 PM, Ahsan Khan wrote:

This would
create enough cushions for an administrator to react and remedy an attack.

DDoS attacks are attacks against capacity and/or against state. The most effective strategy to handle DDoS within one's own span of control (not including coordination with others, which will be necessary in the event of a serious and ongoing attack) is to design the entire system (network, hosts, apps, et. al.) in order to maximize capacity and minimize state vectors, while providing sufficient instrumentation and telemetry for visibility (such as NetFlow-based anomaly-detection), and sufficient mitigation/reaction mechanisms to assert control.

There are various reaction techniques mechanisms such as S/RTBH, QPPB, and dedicated DDoS scrubbing systems which can be used to react effectively to DDoS attacks; typically, these mechanisms instantiate little or no state in the network, do not require symmetric traffic flows (or indeed to interact with 'outbound' traffic at all, assuming the DDoS in question is an inbound one). Policy enforcement mechanisms may deliberately instantiate state as part of their operational paradigms, but that is a different application which isn't directly related to mitigating DDoS.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // 408.527.6376 voice

I don't sound like nobody.

-- Elvis Presley


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: IPspoofing
    ... The short answer is that, especially if the threat is DDoS, you can't. ... to disguise the true source of the attack. ... > Este mensaje puede contener información confidencial y/o privilegiada. ... Internet communications are not secure and therefore the Barclays ...
    (Security-Basics)
  • RE: any recommendable anti-ddos solution?
    ... With DDOS you cannot simply block a host, DDOS is originating from lots of ... different subnets on different geographic locations, so blocking a host ... attack, for example if I know you have an IPS system that denies traffic ... and the switch that goes to everything else inside the network. ...
    (Security-Basics)
  • Re: DNS Amplification Attacks... and a trivial proposal
    ... } reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC ... } reports, ... likewise unable to relate any specifics about any such purported attack ... if not the entirety of all of the many DNS reflection ...
    (comp.protocols.dns.bind)
  • Re: DNS Amplification Attacks... and a trivial proposal
    ... } reasonably reliable report of any DDoS actually being perpetrated IN PRACTIC ... } reports, ... likewise unable to relate any specifics about any such purported attack ... if not the entirety of all of the many DNS reflection ...
    (comp.protocols.dns.bind)
  • RE: Client DDoS requests, ideas?
    ... The DDOS protection company you are thinking about is www.prolexic.com ... take into consideration that a real DDOS attack will not only take down the ... Asunto: Re: Client DDoS requests, ...
    (Pen-Test)