Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Denial of Service: Commercial Defense products

Re: Denial of Service: Commercial Defense products

From: Securesolutions <securesolutions_at_gmail.com>
Date: Tue, 10 Jan 2006 23:01:13 -0000

Hi
For most of the situations I will be recommending this it is for customers
who need to ensure no good traffic is blocked,

Your Hueristic methods in my opinion will cause issues for legitimate
traffic also, and not something I would feel confident in in real networks,
At tthe end of the day people put the device in to maximise the uptime of
their network and I feel this would be a counterproductive step,

/Mick

----- Original Message -----
From: "avi chesla" <chess4_4_at_hotmail.com>
To: <securesolutions_at_gmail.com>; <focus-ids_at_securityfocus.com>
Sent: Monday, January 02, 2006 6:56 PM
Subject: Re: Denial of Service: Commercial Defense products

> Hi,
>
> To your question:
> 1. Some of these (and more) fields will have to be at least bounded inside
> certain intervals - otherwise the attack will not be really effective or
> will not reach its victim(s). Also note that "random" values that are
> generated through the traditional random number generators will always
> have a "center of mass" range that can be detected.
> 2. This DDoS mechanism is stateless, therefore it will be really hard to
> put it in DoS condition
>
> Having said the above, there is no 100% bullet proof solution against DDoS
> attacks. The alternatives should be evaluated carefully and may the best
> solution win
>
> Avi
>
>
>>From: "Securesolutions" <securesolutions_at_gmail.com>
>>To: "Kyle Quest"
>><Kyle.Quest_at_networkengines.com>,<focus-ids_at_securityfocus.com>
>>Subject: Re: Denial of Service: Commercial Defense products
>>Date: Fri, 30 Dec 2005 11:27:12 -0000
>>
>>Hi
>>
>>Thanks for the info on this DDoS mechanisms.
>>It is very basic inmy opinion.
>>
>>Some DDoS tools will certainly be picked up by this mechanism especially
>>the more popular attack tools.
>>
>>
>>However I believe it is easily possible to spoof sources in a random order
>>and vary alll these fields so that no pattern arises and nothing can
>>accurately be blocked.
>>Or worse still to cause yourself a DoS
>>
>>If someone wants to take you offline then they can easily modify existing
>>tools if they know a bit of C programming and get past a solution based on
>>this.
>>Do i understand this correctly ?
>>
>>Thanks
>>/Mick
>>
>>----- Original Message ----- From: "Kyle Quest"
>><Kyle.Quest_at_networkengines.com>
>>To: <focus-ids_at_securityfocus.com>
>>Sent: Tuesday, December 27, 2005 4:00 PM
>>Subject: RE: Denial of Service: Commercial Defense products
>>
>>
>>This is just some background info on this new (D)DoS technology
>>Radware has, so people have a better idea of what Avi is talking
>>about...
>>
>>These parameters are:
>>
>>1. Source IP.
>>2. Destination IP.
>>3. Source port.
>>4. Destination port.
>>5. Packet ID (IP ID).
>>6. Packet size.
>>7. TCP TTL.
>>8. ToS.
>>9. IP checksum.
>>10. TCP sequence number.
>>11. TCP checksum.
>>12. TCP flags.
>>13. ICMP checksum.
>>14. UDP checksum.
>>15. ICMP message type.
>>16. DNS query.
>>17. DNS query ID.
>>
>>They create dynamic filters and see what kind of effect they have
>>and how the blocked traffic source behaves. Based on those results
>>they adjust those filters.
>>
>>The way things work it's not unusual for them to block legitimate
>>traffic for a very small period of time while they are trying to
>>figure out if traffic they are processing is bad or good. They idea
>>is that those black out periods wouldn't affect the legitimate traffic
>>much.
>>
>>Kyle
>>
>>P.S.
>>I don't work for Radware :-)
>>
>>-----Original Message-----
>>From: avi chesla [mailto:chess4_4_at_hotmail.com]
>>Sent: Tuesday, December 20, 2005 12:29 PM
>>To: finacksyn_at_yahoo.co.uk; devdas_at_dvb.homelinux.org;
>>focus-ids_at_securityfocus.com
>>Subject: Re: Denial of Service: Commercial Defense products
>>
>>
>>Hi Matt,
>>
>>It should be noted that I am an employee of Radware. The following answer
>>is
>>informative only.
>>
>>The problem you have encountered has been handled in the latest versions
>>of
>>the DefensePro.
>>A new mechanism (adaptive behavioral DoS protection) which aims to handle
>>all types of floods has been implemented. This new mechanism uses a mature
>>technology that was taken from V-Secure Technologies (this is involved
>>with
>>the acquisition that Radware made). The new mechanism mitigates TCP (Syn
>>and
>>also other TCP floods), UDP, ICMP and IGMP floods by using a statistical
>>adaptive approach (i.e., no thresholds need to be set). The mitigation
>>methods that this mechanism allows are highly granular which means that
>>the
>>detected attack is blocked according to multiple characteristic parameters
>>taken from the packet headers and payload. These parameters (e.g.,
>>checksums, packet sizes, TTL, ports, DNS queries etc) are detected on the
>>fly and are automatically tailored through an AND and OR logical
>>relationships in order to generate the most narrow prevention measure
>>against the detected attack (all in order to minimize the blocking of
>>legitimate users).
>>The integrated technology allows this whole process (detection and
>>prevention) to take place without user intervention.
>>If you test mitigation tools, you should especially focus on the
>>granularity
>>and accuracy of the prevention rules that these tools provide.
>>Regarding Toplayer and Riverhead, the aforementioned new protection is
>>actually a breakthrough for Radware mitigation capabilities. I advise you
>>to test Radware's new DoS and DDoS solution compared to the other
>>vendors -
>>I think that the differences can be easily exposed.
>>
>>Let me know if need any more assistance.
>>
>>Avi
>>
>>------------------------------------------------------------------------
>>Test Your IDS
>>
>>Is your IDS deployed correctly?
>>Find out quickly and easily by testing it
>>with real-world attacks from CORE IMPACT.
>>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>>to learn more.
>>------------------------------------------------------------------------
>>
>>
>>------------------------------------------------------------------------
>>Test Your IDS
>>
>>Is your IDS deployed correctly?
>>Find out quickly and easily by testing it with real-world attacks from
>>CORE IMPACT.
>>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>>to learn more.
>>------------------------------------------------------------------------
>>
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jan 11 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos