Kyle Quest wrote:
> This is just some background info on this new (D)DoS technology
> Radware has, so people have a better idea of what Avi is talking
> about...
Let's see...
> These parameters are:
> 1. Source IP.
[...]
> 17. DNS query ID.
Basically, any numeric parameter which can be extracted from a TCP flow
then...
> They create dynamic filters and see what kind of effect they have
> and how the blocked traffic source behaves. Based on those results
> they adjust those filters.
OK, this is what any anomaly detection system would do. It would be nice
if vendors sometimes added something like "how are we using the data" :)
> The way things work it's not unusual for them to block legitimate
> traffic for a very small period of time while they are trying to
> figure out if traffic they are processing is bad or good.
Yes, this is pretty much the idea of everyone in the field :-D
Stefano
--
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student
Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel. +39 02 2399-4010/3660
Fax. +39 02 2399-3411
E-mail: zanero_at_elet.polimi.it
Web: www.elet.polimi.it/upload/zanero
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jan 05 2006
Intro
