-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For the most part, both, a yes to each of your questions. And as many
stated earlier, the only recourse is to go upstream for assistance in the
case of a large scaled attack.
To get an idea of the issues involved in simply trying to locate the
source<s> of an attack, try tracing back towards the offending addresses,
taking into account the ability to spoof attack addresses, and
understanding the concepts of packet mangling...
Thanks,
Ron DuFresne
On Mon, 4 Jun 2007, Martin McKeay wrote:
I'm glad you summed up the technical aspects of the conversation so far.
A DDoS attack is a serious problem, no matter what form it takes.
I have one question for you: do you really believe that there's no
defense other than not waking the lion, that the battle is already lost?
That doesn't paint a pretty picture to me. Are you basing this on
published work or personal experience? Which I guess makes two
questions, so I'll quit while I'm ahead.
Martin
Martin McKeay, CISSP, GSNA
Cobia Product Evangelist
StillSecure
martin@xxxxxxxxxxxxxxx
707-495-7926
http://www.cobiablog.com
-- R. DuFrense wrote --
DDOS attacks work against resources, the tcp/ip stack <half opens
(syn's) left hanging>, memory <cache of data in your syn-flood db>,
drive space <system logs with overzealous logging of packet flow in
limited space, or how much disk is devoted to a syn-flood db>, the size
of your pipe...
In any but the most simplistic low bandwith attacks there is little one
can do in such cases but either ride out the storm or go upstream for
help in resolution <mist often a block of the damaging traffic>. Even
an semi-decent firewall defense against a simple low bandwith syn flood
will need to be totally rework for defense in the case of a simple
lowbandwidth ping flood, etc. And once the attack level is amplified
above the flow capabilities of your pipe, all bets are off. In a
serious flooding attack the firewall simply become a stopgate from
preventing work on the local net from being affected. There have been
and will continue to be some rather decently funded companies with some
fairly decent pipes wiped out of business or their internet presence
closed up due to some of these kinds of attacks over extended periods of
time. Goverments across the globe have had internet services disrupted
for extended periods.
Microsoft has had to relocate servers to new net/ip addresses to divert
the flow from such attacks and stay somewhat online...
Best way to avoid such problems is to not get into a whose prick is
bigger contest with some kid in IRC that controls a 10,000-100,000 or
larger series of zombies in their botnet.
It's the nature of the game, all in the design...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com Key fingerprint = 9401 4B13
B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover instead of creating the
perfect love.
-Tom Robbins <Still Life With Woodpecker> -----BEGIN
PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGYcADst+vzJSwZikRApiLAJ444UDiM3HZnoNLO7ECHocT31r88wCeMhmS
Zv2jS1v6fCcb3gLbx9+KqHQ=
=iZ/G
-----END PGP SIGNATURE-----
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGZJ1Qst+vzJSwZikRAnOnAKCq3f7tiM9ynbYWbovDP4wmrCO6OACgvzIR
LQDjBIOKqpaz7N/8yMH3yhc=
=n3I0
-----END PGP SIGNATURE-----
