RE: any recommendable anti-ddos solution?

["theog" <theog () theog org>]

With DDOS you cannot simply block a host, DDOS is originating from lots of
hosts on the internet and with a smart attacker they will also come from
different subnets on different geographic locations, so blocking a host
will not help here.

What more, blocking makes an IPS system and I am not in favor of those, the
reason is quite simple, if an attacker identifies such a system (IPS)
installed on your network, it is even easier to perform an even worse
attack, for example if I know you have an IPS system that denies traffic
from attacking hosts for lets say 30 minutes by IP, I would attack you with
spoofed IPS of various hosts and even attack your system impersonating to
be your DNS server (spoofing behind our DNS server IP address (your ISP's
DNS server) which will cause you system to deny traffic from your DNS
server for 30 minutes thus completely disabling your system.

Liran Cohen
RCT Internet solutions.
http://dir.rct.co.il
http://www.rct.co.il 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Dereck Martin
Sent: Tuesday, August 28, 2007 1:55 AM
To: Monty Ree; security-basics () securityfocus com
Subject: RE: any recommendable anti-ddos solution?

I would use an IDS to monitor traffic in real time like "snort_inline".
You can then use signatures to detect certain types of exploits, ddos and
such.  When it happens it will auto drop, log, and block the connection.
No more denial of service attacks from that host =)

For this to work you would setup a transparent bridge between your router
and the switch that goes to everything else inside the network.  It would
then run your inline snort and sniff the data coming across the network.
When a signature triggers that you have specified to be blocked, it will do
so.

You can also use a front end like base or acid with a mysql backend to
visually see people trying to exploit your network.  It’s a nice IDS
solution.

Search google for stuff like snort inline, Acid and snort, base and snort.
You will find a lot of tutorials.


Dereck Martin
Network Operations Engineer
PacketDrivers IT Outsourcing, LLC
http://www.packetdrivers.com
 ____            _        _   ____       _
|  _ \ __ _  ___| | _____| |_|  _ \ _ __(_)_   _____ _ __ ___
| |_) / _` |/ __| |/ / _ \ __| | | | '__| \ \ / / _ \ '__/ __|
|  __/ (_| | (__|   <  __/ |_| |_| | |  | |\ V /  __/ |  \__ \
|_|   \__,_|\___|_|\_\___|\__|____/|_|  |_| \_/ \___|_|  |___/


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Monty Ree
Sent: Monday, August 27, 2007 11:52 AM
To: security-basics () securityfocus com
Subject: any recommendable anti-ddos solution?

Hello, list.

These days our network has been suffering from various ddos attack(syn
flooding, udp flooding...etc).
from time to time, ddos traffic is over 2G bps and this makes all network
service including firewall and IPS go down..

So is there any recommendable commercial anti-ddos equipment or solution?
I have heard about the cisco guard & detector and many say that only this
can fight against ddos attack. right?

But it seems that other anti ddos solution comes...
Please recommend commercial anti ddos solution for me.


Thanks in advance...

_________________________________________________________________
편리한 웹하드가 최대 1G 까지 무료!
http://im.msn.co.kr/new/function/function_02_11.asp