Re: Diff ways to prevent DoS and DDoS



Thank you for the corrections.

I guess I should have said ACL and firewalls alone are not sufficient
as these can block only known attack methodologies or defined traffic.


On Thu, Apr 26, 2012 at 8:35 AM, _ <packetnull@xxxxxxxxx> wrote:
to add on this DoS/DDoS/DRDoS are usually based on timing and amount of connections ACL's are a first line of defense.  Nasty little buggers they are attackers will try to "deny" service from layers 3 to 7. thats why security folks come up with new fancy terms like NGFW's same thing bonded together



On Apr 24, 2012, at 3:58 PM, "David Gillett" <gillettdavid@xxxxxxxx> wrote:

From: Don Thomas [mailto:don.thomasjacob@xxxxxxxxx] wrote:

1st you need to think beyond your network firewalls and ACL on the router.
Firewalls and ACL can never stop DoS attacks as they can stop only
information you have asked it
to stop.

 Ooops.  You've provided no argument that establishes that we cannot ask
firewalls or ACLs to block DoS/DDoS attacks....

 There *are* two relevant limitations of firewalls and ACLs, but they're
not what you suggest here:

1.  Firewalls and ACLs effectively classify traffic into three categories:
known good, known bad, and unknown.  They may have to base this
categorization on inadequate information -- for instance, to an ACL there's
no easy way to distinguish a simple ping from a ping-of-death.  Sometimes
the only real difference between legitimate traffic and a DoS/DDoS is the
rate of such traffic; ACLs provide no way to specify this, and not all
firewalls do either...

2.  A firewall or ACL can only act on traffic that reaches the location
where it is implemented.  In some cases, a DoS/DDoS attack may do its damage
before reaching that point.  For instance, a trivial brute-force bandwidth
consumption attack will probably manage to saturate the ISP connection
regardless of whether it is blocked once it arrives at the target's site..

 Disproof by counterexample: My ACLs block some specific DoS attacks that
used to knock us off the Internet routinely.

David Gillett, CISSP CCNP


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Diff ways to prevent DoS and DDoS
    ... Firewalls and ACL can never stop DoS attacks as they can stop only ... firewalls or ACLs to block DoS/DDoS attacks.... ... There *are* two relevant limitations of firewalls and ACLs, ...
    (Security-Basics)
  • RE: Diff ways to prevent DoS and DDoS
    ... Firewalls and ACL can never stop DoS attacks as they can stop only ... firewalls or ACLs to block DoS/DDoS attacks.... ... There *are* two relevant limitations of firewalls and ACLs, ...
    (Security-Basics)
  • Re: using routers ACL to substitute firewall
    ... First generation firewalls were basically Router's ACLs. ... filter application protocols, which is not possible by Router ACLs. ...
    (comp.security.misc)
  • Re: using routers ACL to substitute firewall
    ... First generation firewalls were basically Router's ACLs. ... filter application protocols, which is not possible by Router ACLs. ...
    (alt.computer.security)
  • RE: [fw-wiz] IPS vs. Firewalls (why vs. ?)
    ... Proxy firewalls: Proxy firewalls are in theory good ... Any time you're parsing network traffic you're prone to ... Let's take the WMF ... And if you think _that's_ hard, try stopping an ASN.1 attack without writing ...
    (Firewall-Wizards)