You can have defense against many kind of ddos attacks but victory is
not sure at all. Take the case for example when a very large number of
distributed bots issues many but slow SYN/ACK bounce attacks or plain
protocol connections to your site. If they do it 'right' you will end up
with up to millions of sources doing 'ordinary' things with random
sources. No source will ever trigger anything above an average user. One
important step in taking ddos seriously was when the first ISP went
broke because it was a target.
So take up the fight when it happens. Most attackers are not
resourceful enough (either by available hw/bots or technical knowledge),
so on the long term you can usually win. But loosing the war is always a
possibility no matter how good you are...
Martin McKeay wrote:
I'm glad you summed up the technical aspects of the conversation so far.
A DDoS attack is a serious problem, no matter what form it takes.
I have one question for you: do you really believe that there's no
defense other than not waking the lion, that the battle is already lost?
That doesn't paint a pretty picture to me. Are you basing this on
published work or personal experience? Which I guess makes two
questions, so I'll quit while I'm ahead.
Martin
Martin McKeay, CISSP, GSNA
Cobia Product Evangelist
StillSecure
martin@xxxxxxxxxxxxxxx
707-495-7926
http://www.cobiablog.com
-- R. DuFrense wrote --
DDOS attacks work against resources, the tcp/ip stack <half opens
(syn's) left hanging>, memory <cache of data in your syn-flood db>,
drive space <system logs with overzealous logging of packet flow in
limited space, or how much disk is devoted to a syn-flood db>, the size
of your pipe...
In any but the most simplistic low bandwith attacks there is little one
can do in such cases but either ride out the storm or go upstream for
help in resolution <mist often a block of the damaging traffic>. Even
an semi-decent firewall defense against a simple low bandwith syn flood
will need to be totally rework for defense in the case of a simple
lowbandwidth ping flood, etc. And once the attack level is amplified
above the flow capabilities of your pipe, all bets are off. In a
serious flooding attack the firewall simply become a stopgate from
preventing work on the local net from being affected. There have been
and will continue to be some rather decently funded companies with some
fairly decent pipes wiped out of business or their internet presence
closed up due to some of these kinds of attacks over extended periods of
time. Goverments across the globe have had internet services disrupted
for extended periods.
Microsoft has had to relocate servers to new net/ip addresses to divert
the flow from such attacks and stay somewhat online...
Best way to avoid such problems is to not get into a whose prick is
bigger contest with some kid in IRC that controls a 10,000-100,000 or
larger series of zombies in their botnet.
It's the nature of the game, all in the design...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com Key fingerprint = 9401 4B13
B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover instead of creating the
perfect love.
-Tom Robbins <Still Life With Woodpecker> -----BEGIN
PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGYcADst+vzJSwZikRApiLAJ444UDiM3HZnoNLO7ECHocT31r88wCeMhmS
Zv2jS1v6fCcb3gLbx9+KqHQ=
=iZ/G
-----END PGP SIGNATURE-----
