OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Can someone explain this to me? (Was "network based IDS")
From: Joseph Nicholas Yarbrough (nyarbroughLURHQ.COM)
Date: Thu Nov 30 2000 - 18:07:34 CST

On Thursday 30 November 2000 17:57, you wrote:

> > Ok, I'd really like to know how an IDS is possibly going to be able to
> protect against a DDoS, since the real problem is as much the volume of
> traffic as the type of traffic. Obviously, by "DDoS," I am referring to
> the expansive, all-out mob-style attacks that made the term famous, not a
> set of 5 dial-up users who have been compromised. Even if the IDS can
> create rules on the fly in your firewall while brewing you a perfect cup of
> macchiato and taking your pet iguana for a walk, how can it possibly do any
> good when your link is saturated out past the border of your own network?
>
> > The CaptIo can create rules "on the fly" to protect against DDOS attacks
>
> in less than 3 seconds.

It could create firewall rules to drop the packets at the kernel level to
avoid as much resource utilization as posible. That is about the only way I
could see it "protecting" you from DDoS. If the DDoS is a flood meant to
choke your bandwidth, not much could be done for this. (Without snmp access
to the ACLs on your upstream router) However, if they are trying to lockup
the machine by opening many connects to TCP/80 from many hosts, it could
protect you by droping the packets before Apache/IIS/Whatever spawns a copy
for that host. IMHO, this is usefull technology.

Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation
==========================>
843-347-1075 ext. 312
nyarbroughlurhq.com