Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Denial of Service: Commercial Defense products

from [Securesolutions] Network Security [Permanent Link]
Subject: Re: Denial of Service: Commercial Defense products
Date: Fri, 30 Dec 2005 11:27:12 -0000 
Hi

Thanks for the info on this DDoS mechanisms.
It is very basic inmy opinion.

Some DDoS tools will certainly be picked up by this mechanism especially the more popular attack tools.


However I believe it is easily possible to spoof sources in a random order and vary alll these fields so that no pattern arises and nothing can accurately be blocked.
Or worse still to cause yourself a DoS

If someone wants to take you offline then they can easily modify existing tools if they know a bit of C programming and get past a solution based on this.
Do i understand this correctly ?

Thanks
/Mick

----- Original Message ----- From: "Kyle Quest" <Kyle.Quest@networkengines.com>
To: <focus-ids@securityfocus.com>
Sent: Tuesday, December 27, 2005 4:00 PM
Subject: RE: Denial of Service: Commercial Defense products


This is just some background info on this new (D)DoS technology
Radware has, so people have a better idea of what Avi is talking
about...

These parameters are:

1. Source IP.
2. Destination IP.
3. Source port.
4. Destination port.
5. Packet ID (IP ID).
6. Packet size.
7. TCP TTL.
8. ToS.
9. IP checksum.
10. TCP sequence number.
11. TCP checksum.
12. TCP flags.
13. ICMP checksum.
14. UDP checksum.
15. ICMP message type.
16. DNS query.
17. DNS query ID.

They create dynamic filters and see what kind of effect they have
and how the blocked traffic source behaves. Based on those results
they adjust those filters.

The way things work it's not unusual for them to block legitimate
traffic for a very small period of time while they are trying to
figure out if traffic they are processing is bad or good. They idea
is that those black out periods wouldn't affect the legitimate traffic
much.

Kyle

P.S.
I don't work for Radware :-)

-----Original Message-----
From: avi chesla [mailto:chess4_4@hotmail.com]
Sent: Tuesday, December 20, 2005 12:29 PM
To: finacksyn@yahoo.co.uk; devdas@dvb.homelinux.org;
focus-ids@securityfocus.com
Subject: Re: Denial of Service: Commercial Defense products


Hi Matt,

It should be noted that I am an employee of Radware. The following answer is
informative only.

The problem you have encountered has been handled in the latest versions of
the DefensePro.
A new mechanism (adaptive behavioral DoS protection) which aims to handle
all types of floods has been implemented. This new mechanism uses a mature
technology that was taken from V-Secure Technologies (this is involved with
the acquisition that Radware made). The new mechanism mitigates TCP (Syn and
also other TCP floods), UDP, ICMP and IGMP floods by using a statistical
adaptive approach (i.e., no thresholds need to be set). The mitigation
methods that this mechanism allows are highly granular which means that the
detected attack is blocked according to multiple characteristic parameters
taken from the packet headers and payload. These parameters (e.g.,
checksums, packet sizes, TTL, ports, DNS queries etc) are detected on the
fly and are automatically tailored through an AND and OR logical
relationships in order to generate the most narrow prevention measure
against the detected attack (all in order to minimize the blocking of
legitimate users).
The integrated technology allows this whole process (detection and
prevention) to take place without user intervention.
If you test mitigation tools, you should especially focus on the granularity
and accuracy of the prevention rules that these tools provide.
Regarding Toplayer and Riverhead, the aforementioned new protection is
actually a breakthrough for Radware mitigation capabilities.  I advise you
to test Radware's new DoS and DDoS solution compared to the other vendors -
I think that the differences can be easily exposed.

Let me know if need any more assistance.

Avi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Denial of Service: Commercial Defense products, avi chesla
Next by Date:  Re: challenges in capturing Gigabit ethernet, Securesolutions
Previous by Thread:  Re: Denial of Service: Commercial Defense products, avi chesla
Next by Thread:  Re: Denial of Service: Commercial Defense products, avi chesla
Indexes:  [Date] [Thread] [Top] [All Lists]