AFAIK, Allot boxes do have an option to decide whether or not to drop traffic above a certain definable number of connections, which is not really an attack recognition but its as close as it gets in their box. Anyway, as you say, they don't react automatically, you need to set it first :(
On Fri, 22 Oct 2004, Albinati, Luis Martin wrote:
I am considering some bandwidth management solutions and would like to know if some of you people have had some real world experiences with this kind of boxes. More specifically I am looking at some Large-ISP or Carrier-Grade solutions with at least the following specifications:
= 1Gbps traffic capacity 500k simultaneous connections Layer 7 stateful packet inspection (via protocol signatures and/or protocol analysis) Traffic prioritization, shaping, QoS and bandwidth provisioning based on custom defined policies (vlan id, ip ranges, tos, time of day, etc) possibility to easily update and deploy new or modified protocol definitions without affecting availability.
Add here: "automatic rate-limiter adaptation" / "attack pattern recognition".
Do we still have solutions on the table? I'd be interested what kind of solutions are available in Gbit/s-grade which do not need you to configure certain kind of rate-limiters a priori, but can automatically react to most kinds of attacks, even simple ones (e.g., TCP SYN floods).
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings