RE: [Fwd: RE: Intrusion prevention and dDos protection]

["Rob Shein" <shoten () starpower net>]

Very good point.  I was envisioning a full pipe in my example, but I see how
in this case, proper architecture can allow an organization to respond to an
attack and maintain some functionality.  I still stand by my earlier
statement, however, that a single product cannot truthfully claim to protect
an organization against a DDOS, in the way earlier described.  

> -----Original Message-----
> From: mpaquette () toplayer com [mailto:mpaquette () toplayer com] 
> Sent: Wednesday, August 27, 2003 8:58 AM
> To: shoten () starpower net; focus-ids () securityfocus com
> Subject: FW: [Fwd: RE: Intrusion prevention and dDos protection]
>
>
> Hi Rob,
>
>       Your point below is not totally correct. I agree with 
> you that *IF* the entire Internet connection link is swamped 
> with DoS traffic, then there is little you can do from the 
> organization side to affect it, but you mistakenly assume 
> that all DDoS attacks are successful in filling the entirety 
> of an organization's Internet link.  While that may indeed be 
> common for attacks that take place on low-speed broadband or 
> T1 connections, it is definitely not true for organizations 
> with higher speed Internet connections (10M, T3, 100M, OC-3, 
> OC-12, Gig).  
>
>       In any organization where their critical on-line assets 
> (say, Web
> Servers) have less capacity to withstand a particular attack, 
> say a SYN Flood, than the Internet connection has capacity to 
> let in, a Denial of Service condition can occur without 
> filling up the Internet pipe with DoS Traffic.  For example, 
> with just a 10Mbit/sec Internet connection, a significant SYN 
> flood of 10,000 SYNs/sec can make even a load-balanced, 
> multi-CPU web server crawl to its knees.  In this case there is still
> 3+Mbit/sec of "free" bandwidth left over for legitimate 
> requests to the 
> 3+web
> servers, but such requests will not be serviced because the 
> servers are suffering from the attack - denial of service is achieved.
>
>       Extending your analogy, think of these types of DDoS 
> attacks not as street cloggers, but more like excess 
> orderers.  If 5 people show up at a fast food restaurant, 
> getting to all 5 order-takers at the same time, and each 
> takes 5 minutes asking questions and changing his mind 10 
> times before ordering 25 hamburgers each, the restaurant's 
> ability to service additional customers during this time will 
> stop well before the street gets clogged up, causing a denial 
> of service.  With a little creativity, you can probably think 
> of lots of things you could do inside the restaurant to 
> ensure that this does not take place.
>
>       Over the past 12 months, we have seen dozens of 
> targeted DDoS attacks, and none of them was successful in 
> using up the entire pipe bandwidth.  For these types of 
> attacks, an organization-side attack mitigation approach can 
> be quite effective, ensuring that legitimate transactions can 
> complete even in the presence of high-volume SYN floods. If 
> you're interested, contact me offline, and I'll provide you 
> with a concrete real-life example.
>
> Thanks,
> Mike P.
> Top Layer Networks
>
> -------- Original Message --------
> Subject: RE: Intrusion prevention and dDos protection
> Date: Sat, 23 Aug 2003 13:26:22 -0400
> From: Rob Shein <shoten () starpower net>
> To: 'Darren Windham' <dwindham () dallastelco org>, 
> focus-ids () securityfocus com
>
> I would hasten to point out that there isn't anything you can 
> buy that will give you DDos protection.  While a firewall/IPS 
> is like a security guard at the entrance to a building to 
> keep bad people out, a DDos attack is like so many bad people 
> trying to get into the building that they choke the streets 
> leading up to it; nothing you can put in your building will 
> deal with that congestion or prevent it.
>
>  > -----Original Message-----
>  > From: Darren Windham [mailto:dwindham () dallastelco org]
>  > Sent: Thursday, August 21, 2003 10:17 AM
>  > To: focus-ids () securityfocus com
>  > Subject: Intrusion prevention and dDos protection
>  >
>  >
>  > I recently had the chance to meet with the guys over at
>  > Melior and talk about their iSecure platform.  Has anyone
>  > else taken a look at it?  I was pleasantly suprised at its
>  > performance.  I ran most of the common scanners on both 
> Linux  > and Windows platforms and had no such luck with it.  
> I can  > only hope that more products like this make it to 
> the  > mainstream marketplace.  If you are looking for a 
> IPS/dDos  > prevention I'd make sure you take a good look at 
> these guys.  >  > I'd love to hear feedback from others who 
> have looked at this  > or other similar products.  >  > Check 
> them out at http://www.meliorinc.com  >  > > Regards,  >  > 
> Darren Windham  > Network Administrator, Dallas Telco FCU  > 
> email: dwindham () dallastelco org 
<mailto:dwindham () dallastelco org>  >  >  >  >  > Disclaimer: The information
contained in this email is  > confidential and is intended solely for the
use of the person  > identified as the recipient. If you are not the
intended  > recipient, any disclosure, copying, distribution, or taking  >
of any action in reliance on the contents is prohibited. If  > you received
this email in error, please contact the sender  > immediately and dispose of
the contents in a secure manner.  >  >  >  >
--------------------------------------------------------------
> -------------
> Attend Black Hat Briefings & Training Federal, September
> 29-30 (Training), October 1-2 (Briefings) in Tysons Corner,  > VA; the
worldÂ's premier  > technical IT security event.  Modeled after the famous
Black  > Hat event in  > Las Vegas! 6 tracks, 12 training sessions, top
speakers and  > sponsors.  > Symanetc is the Diamond sponsor.  Early-bird
registration  > ends September 6 Visit: www.blackhat.com  >
--------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 
(Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's 
premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 
6 Visit: www.blackhat.com
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------