Re: DoS/DDoS Attack

From: Kevin Willock (IGSN Security) (kevin@igsn.com)
Date: Fri Jan 14 2005 - 13:41:25 EST

• Next message: Edward Sohn: "RE: DoS/DDoS Attack"
• Previous message: Cure, Samuel J: "RE: Sample Risk Assessment Report"
• In reply to: Wallisch, Philip: "RE: DoS/DDoS Attack"
• Next in thread: Peter Van Epp: "Re: DoS/DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wallisch, Philip wrote:

>I wouldn't say "no way of determining". Check out http://www.riverhead.com/
>
>Through the use of baselines and complicated algorithms you can scrub at least some of that traffic.
>
>-----Original Message-----
>From: Faisal Khan [mailto:faisal@netxs.com.pk]
>Sent: Friday, January 14, 2005 1:06 AM
>To: pen-test@securityfocus.com
>Subject: DoS/DDoS Attack
>
>
>
>
>Folks,
>
>Two quick questions.
>
>When IP (Source) addresses are spoofed, is there no way of determining (a)
>that the IP Source Addresses is spoofed and not the genuine one (b) to be
>able to determine the actual IP address that is sending DoS packets?
>
>Somehow I get the feeling I'm SOL when trying to find out the
>"genuine/actual" source IP address.
>
>If this is the case, then pretty much we all are helpless with DoS/DDoS
>attacks - considering one can write a script/program to keep incrementing
>or randomly assigning spoofed source addresses in the DoS packets being
>sent out.
>
>Faisal
>
>
>
>
>
>Faisal Khan, CEO
>Net Access Communication
>Systems (Private) Limited
>________________________________
>
>Network Security - Secure Web Hosting
>Managed Internet Services - Secure Email
>Dedicated Servers - Reseller Hosting
>
>Visit www.netxs.com.pk for more information.
>
>
>
>
There are a lot of devices out there that can mitigate attack traffic.
These devices work to varying degrees of effectiveness. The new trend is
to inject data into a table, and get a baseline for what "normal"
traffic is on your system. Then when abnormal traffic begins to appear
these devices will compare against your regular traffic and the new
flurry of packets that are coming in, and make intelligent decisions
(based on commonalities that appear in traffic (IE: incrementing packet
#'s, same TTL etc).

These devices are costly, and are sometimes beyond the scope of some
operators, but you can discuss with your ISP getting actively involved
in implementing a device, and offering the service to a range of clients
at a fee to cover the costs of purchasing and administrating these
devices. There are also third party groups that offer packet scrubbing
services, and employ multiple devices and offer a sort of proxy service.
These groups are now offering SLA's and when gauged against the cost of
outright buying one of these devices and training staff to administrate
them, is often a more economically feasible solution to the problem.

Kevin Willock
IGSN Security

• Next message: Edward Sohn: "RE: DoS/DDoS Attack"
• Previous message: Cure, Samuel J: "RE: Sample Risk Assessment Report"
• In reply to: Wallisch, Philip: "RE: DoS/DDoS Attack"
• Next in thread: Peter Van Epp: "Re: DoS/DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT