Firewall Wizards mailing list archives
***SPAM*** Re: Firewalls that generate new packets..
From: Dave Piscitello <dave () corecom com>
Date: Wed, 28 Nov 2007 17:07:35 -0500
Let's lower the testosterone, tease out the two discussions that are running in parallel and find some useful points to share.
I hope we agree that:1) stopping DDOS attacks directed AT you, from multiple (spoofed) sources, is something few firewalls can do if the attack is large/amplified/sustained. It's hard even with additional security measures, and cooperation from upstream providers. If someone really wants you badly and has the "connections" (pun intended) he can make life pretty miserable for you irregardless of the firewall you use. [Anycasting helped root name servers withstand DDOS amplification attacks, perhaps this is promising for other applications.]
2) preventing hosts protected by a firewall you administer from acting as sources for (1) is something firewalls can do (at least in a limited capacity).
My experience is that many firewall admins worry about (1) more than (2) in part because DDOS attacks are familiar to the culture and the effects of a DDOS attack directed at your organization often has a financial and reputational impact. Only recently are botnets, fast flux hosting, and other attacks earning "pop news" attention, so until recently, dedicated and earnest security practitioners have encouraged (2).
Darren Reed wrote:
Darden, Patrick S. wrote:No offense, but both of you are wrong. Properly configured, a simple firewallCAN prevent most DOS attacks. Check out this SANS bulletin on "Defeating DDOS". Yes, that is myname in the credits. Special task force back in 2000. Sigh, and still people don't know that you can use a simple firewall to defeat most DOS attacks... as long as you areprotecting the world from YOUR network..... http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796eI see nothing in that article that explains how a firewall can be used to defend against a DOS (or DDOS) attack. All I see is how to avoid yourself from being used as the source of one - where source IP addresses are forged. When I've got an army of 100,000 pc's scattered around the globe ready to try and connect() to your web server (without spoofing an IP#), how does anything in that article help? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 27)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)
- Re: Firewalls that generate new packets.. Jerry B. Altzman (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 30)
- Re: Firewalls that generate new packets.. Fetch, Brandon (Nov 30)
- ***SPAM*** Re: Firewalls that generate new packets.. Dave Piscitello (Nov 30)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 28)