PaulDotCom mailing list archives
DDOS
From: shukin at gsenterprises.biz (Geoff Shukin)
Date: Wed, 21 Apr 2010 08:05:45 -0600
It is a Cisco ASA. I am aware of the settings on these firewalls but do they really solve the issue? I was thinking that protecting the firewall (ASA or others) from a DDoS would really be something that should happen upstream and/or downstream from the firewall itself. TCP Intercept/SYN Cookies" do not protect the firewall, it's a feature for protecting a device from being flooded by embryonic connections. The firewall brokers the connection on behalf of the device that a session is attempting to be established with. Once the 3-way-handshake completes, the firewall then stitches the session together between the initiator/receiver and data is then allowed to pass. If the 3-way-handshake fails to complete within N-time, then the session is dropped. Good for preventing SYN floods from the end devices but bad for the overall firewall health? I was interested in learning more about what others are doing along the lines of hardening, etc. I try to always ensure that the firewall is configured to allow SSH access to only known trusted sources, restrict what log messages are sent to the syslog server, restrict SNMP to trusted NMS devices, limit use of the "application layer protocol inspection" to business required deep-packet-inspection engines and of course the impact of the app-inspection would be dependent on the traffic profile of the DDOS. There is only so much that can be done on other devices upstream/downstream that can "enforce policies by filtering" and only allow X-traffic either *to* or *through* the firewall. Yet someone with enough resources seems to be able to effectively kill the firewall and disable the services behind it. Are there other mitigation mechanisms that I should be exploring both on the firewall or perhaps on the screening routers or am I really looking for another appliance that sits inline upstream from the firewall? Thanks Geoff On Wed, Apr 21, 2010 at 6:20 AM, Butturini, Russell < Russell.Butturini at healthways.com> wrote:
What kind of firewall is it? Many vendors have controls such as embryonic connection limits and some QoS policing that can prevent this sort of thing. We have a web presence of around 350 sites and using these techniques has mitigated most of our issues. ------------------------------ *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto: pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Geoff Shukin *Sent:* Tuesday, April 20, 2010 4:37 PM *To:* Pauldotcom at mail.pauldotcom.com *Subject:* [Pauldotcom] DDOS Hi! I am curious to know what folks are doing to combat the issue of DDOS attacks. I have heard about solutions from Arbor and TopLayer but wonder if they are effective. Are there any other suggestions out there in PaulDotCom land? We have seen DDOS attacks against one of our websites (using a combination of ICMP, TCP SYN and UDP flood attacks). Firewall stops the attacks in that the web servers are ok but the firewall falls over with 100% CPU. Thanks Geoff ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100421/865b5311/attachment.htm