Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DDOS Bot Blacklist

from [Andy Cuff] Network Security [Permanent Link]
Subject: RE: DDOS Bot Blacklist
Date: Mon, 15 Nov 2004 19:31:53 -0000 
Hi Rob,
Thank you for your response
For the larger more complex attacks you are right, though many end networks
(non-ISP) can withstand a surprisingly high volume of attack either through
their Attack Mitigation Systems (upstream of the firewall) or Increasing the
size of their pipe, ideally both.  I'm going to revisit my list of Attack
Mitigation Systems and Network Intrusion Prevention Systems next week.  It's
all related to the project I'm working on, but I didn't want to spam the
list with a barrage of emails simultaneously.

   Regards
   -andy cuff
The Talisker Network Security Portal
http://securitywizardry.com 
Computer Network Defence Ltd

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net] 
Sent: 15 November 2004 05:37
To: 'Andy Cuff'; focus-ids@securityfocus.com
Subject: RE: DDOS Bot Blacklist

The further question that comes to my mind is who would enforce blocking
based on this list?  It seems to me that if the subscribers to the list were
anything other than ISPs, there would be little point to it.  By the time
you're blocking at your firewall, the DDoS traffic has already consumed what
bandwidth it was meant to consume.  And this is, of course, in addition to
your concerns about DHCP addressing and spoofed source addresses.


-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com] 
Sent: Sunday, November 14, 2004 5:27 PM
To: focus-ids@securityfocus.com
Subject: DDOS Bot Blacklist


Hi,
I was wondering if anyone had looked into the creation of a 
blacklist for DDOS bots?  
There are obvious concerns; firstly, where the source may be 
spoofed, though most of the Attack Mitigation Systems should 
deal with stateless attacks and secondly, with so many of the 
bots originating from DHCP scopes, many bots this could be 
overcome by rapid aging of the addresses or only including 
addresses used more than once indicating a long term address 
lease in the scope.  

   Regards
   -andy cuff
The Talisker Network Security Portal http://securitywizardry.com 
Computer Network Defence Ltd


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004
 


--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04

0708 
to learn more.
--------------------------------------------------------------------------



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004
 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: need your help about IPS and IDS,thanks, Ophir Rachman
Next by Date:  Re: need your help about IPS and IDS,thanks, Lily
Previous by Thread:  Re: DDOS Bot Blacklist, Kevin
Next by Thread:  need your help about IPS and IDS,thanks, Lily
Indexes:  [Date] [Thread] [Top] [All Lists]