Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DoS/DDoS Attack

from [Kevin Willock (IGSN Security)] Network Security [Permanent Link]
Subject: Re: DoS/DDoS Attack
Date: Fri, 14 Jan 2005 11:41:25 -0700 


Wallisch, Philip wrote:

I wouldn't say "no way of determining".  Check out http://www.riverhead.com/

Through the use of baselines and complicated algorithms you can scrub at least 
some of that traffic.

-----Original Message-----
From: Faisal Khan [mailto:faisal@netxs.com.pk]
Sent: Friday, January 14, 2005 1:06 AM
To: pen-test@securityfocus.com
Subject: DoS/DDoS Attack




Folks,

Two quick questions.

When IP (Source) addresses are spoofed, is there no way of determining (a) that the IP Source Addresses is spoofed and not the genuine one (b) to be able to determine the actual IP address that is sending DoS packets?

Somehow I get the feeling I'm SOL when trying to find out the "genuine/actual" source IP address.

If this is the case, then pretty much we all are helpless with DoS/DDoS attacks - considering one can write a script/program to keep incrementing or randomly assigning spoofed source addresses in the DoS packets being sent out.

Faisal





Faisal Khan,  CEO
Net Access Communication
Systems (Private) Limited
________________________________

Network Security - Secure Web Hosting
Managed Internet Services - Secure Email
Dedicated Servers - Reseller Hosting

Visit www.netxs.com.pk for more information.




There are a lot of devices out there that can mitigate attack traffic. These devices work to varying degrees of effectiveness. The new trend is to inject data into a table, and get a baseline for what "normal" traffic is on your system. Then when abnormal traffic begins to appear these devices will compare against your regular traffic and the new flurry of packets that are coming in, and make intelligent decisions (based on commonalities that appear in traffic (IE: incrementing packet #'s, same TTL etc).

These devices are costly, and are sometimes beyond the scope of some operators, but you can discuss with your ISP getting actively involved in implementing a device, and offering the service to a range of clients at a fee to cover the costs of purchasing and administrating these devices. There are also third party groups that offer packet scrubbing services, and employ multiple devices and offer a sort of proxy service. These groups are now offering SLA's and when gauged against the cost of outright buying one of these devices and training staff to administrate them, is often a more economically feasible solution to the problem.

Kevin Willock
IGSN Security

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Sample Risk Assessment Report, Cure, Samuel J
Next by Date:  RE: DoS/DDoS Attack, Edward Sohn
Previous by Thread:  RE: DoS/DDoS Attack, Wallisch, Philip
Next by Thread:  RE: DoS/DDoS Attack, Josh Walkson
Indexes:  [Date] [Thread] [Top] [All Lists]