IDS mailing list archives
RE: Denial of Service: Commercial Defense products
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Tue, 27 Dec 2005 11:00:22 -0500
This is just some background info on this new (D)DoS technology Radware has, so people have a better idea of what Avi is talking about... These parameters are: 1. Source IP. 2. Destination IP. 3. Source port. 4. Destination port. 5. Packet ID (IP ID). 6. Packet size. 7. TCP TTL. 8. ToS. 9. IP checksum. 10. TCP sequence number. 11. TCP checksum. 12. TCP flags. 13. ICMP checksum. 14. UDP checksum. 15. ICMP message type. 16. DNS query. 17. DNS query ID. They create dynamic filters and see what kind of effect they have and how the blocked traffic source behaves. Based on those results they adjust those filters. The way things work it's not unusual for them to block legitimate traffic for a very small period of time while they are trying to figure out if traffic they are processing is bad or good. They idea is that those black out periods wouldn't affect the legitimate traffic much. Kyle P.S. I don't work for Radware :-) -----Original Message----- From: avi chesla [mailto:chess4_4 () hotmail com] Sent: Tuesday, December 20, 2005 12:29 PM To: finacksyn () yahoo co uk; devdas () dvb homelinux org; focus-ids () securityfocus com Subject: Re: Denial of Service: Commercial Defense products Hi Matt, It should be noted that I am an employee of Radware. The following answer is informative only. The problem you have encountered has been handled in the latest versions of the DefensePro. A new mechanism (adaptive behavioral DoS protection) which aims to handle all types of floods has been implemented. This new mechanism uses a mature technology that was taken from V-Secure Technologies (this is involved with the acquisition that Radware made). The new mechanism mitigates TCP (Syn and also other TCP floods), UDP, ICMP and IGMP floods by using a statistical adaptive approach (i.e., no thresholds need to be set). The mitigation methods that this mechanism allows are highly granular which means that the detected attack is blocked according to multiple characteristic parameters taken from the packet headers and payload. These parameters (e.g., checksums, packet sizes, TTL, ports, DNS queries etc) are detected on the fly and are automatically tailored through an AND and OR logical relationships in order to generate the most narrow prevention measure against the detected attack (all in order to minimize the blocking of legitimate users). The integrated technology allows this whole process (detection and prevention) to take place without user intervention. If you test mitigation tools, you should especially focus on the granularity and accuracy of the prevention rules that these tools provide. Regarding Toplayer and Riverhead, the aforementioned new protection is actually a breakthrough for Radware mitigation capabilities. I advise you to test Radware's new DoS and DDoS solution compared to the other vendors - I think that the differences can be easily exposed. Let me know if need any more assistance. Avi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Denial of Service: Commercial Defense products avi chesla (Dec 12)
- Re: Denial of Service: Commercial Defense products FinAckSyn (Dec 16)
- Re: Denial of Service: Commercial Defense products avi chesla (Dec 21)
- Re: Denial of Service: Commercial Defense products snort user (Dec 21)
- <Possible follow-ups>
- RE: Denial of Service: Commercial Defense products Kyle Quest (Dec 27)
- RE: Denial of Service: Commercial Defense products Barrett G. Lyon (Dec 28)
- Re: Denial of Service: Commercial Defense products FinAckSyn (Dec 16)