Re: [Re: Which Part(s) Failed in the recent DOS Attacks?]
Joe, Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for stopping TCP DOS. Could these features stop massive TCP DOS attacks? Thanks, Audie Onibala ****************************** Joe Shaw <jshaw@insync.net> wrote: On 9 Feb 2000, Toplez Razer wrote:
1. Was it the firewall DOS filter?
With packet based DoS attacks, filters don't matter. Bandwidth and saturation are what matters.
2. No firewall in Yahoo, EBay, ETrade, etc?
Yes, there are, and no, they wouldn't have helped for the reason stated above.
3. Firewall DOS filter worked, but the links were still clogged with massive ACKs/NACKs?
Not exactly, but fairly close. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am." ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
On Tue, Mar 18, 2036 at 03:33:35AM -0700, Toplez Razer wrote:
Joe, Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for stopping TCP DOS. Could these features stop massive TCP DOS attacks?
Not a chance in hell. Anything short of a GSR has problems forwarding or flat out dropping (supprisingly often times you get better performance from CAR then an acl deny) the number of packets/sec, Packet inspection, especially of the involved nature of TCP Intercept, is totally useless for attacks of this size. TCP Intercept performance is closer to that of a unix machine with a protected kernel, it will do better then the original kernels back in the day when PANIX was DoS'd by dialup-speed floods, actually it will compete with a very strong unix box running top notch code that still has to process the SYN and attempt a connection, but thats still at least an order of magnitude too little... -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
On 9 Feb 2000, Toplez Razer wrote:
Joe, Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for stopping TCP DOS. Could these features stop massive TCP DOS attacks?
Both could possibly help, but when you're dealing with 800Mbps, which is how much traffic was reported in the Yahoo DoS, filters don't matter. The problem is, you fill up the pipes and it doesn't matter that the router or the firewall drops the packets because legitimate traffic can't get through. If the attacks were smaller directed attacks you'd have a better chance of defending yourself, but with these new DDoS attacks it makes it next to impossible unless you're a Tier1 or your Tier1 will actively filter. That's what makes them so devestating right now. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
On Wed, Feb 09, 2000 at 11:37:36PM -0600, Joe Shaw wrote:
On 9 Feb 2000, Toplez Razer wrote:
Joe, Firewall-1 has the SynDefender and Cisco IOS 12.0 has TCP Intercept for stopping TCP DOS. Could these features stop massive TCP DOS attacks?
Both could possibly help, but when you're dealing with 800Mbps, which is how much traffic was reported in the Yahoo DoS, filters don't matter. The problem is, you fill up the pipes and it doesn't matter that the router or the firewall drops the packets because legitimate traffic can't get through. If the attacks were smaller directed attacks you'd have a better chance of defending yourself, but with these new DDoS attacks it makes it next to impossible unless you're a Tier1 or your Tier1 will actively filter. That's what makes them so devestating right now.
GlobalCenter has that kind of pipe, if you can filter out the bad traffic from the good. With smurfs its easy, icmp echo-reply is not a "necessary" packet type. With SYN/ACK floods its not so easy. But then again the day I see an 800Mbps SYN flood is the day I throw in the towel and go home. -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) MFN / AboveNet Communications Inc - ISX Network Engineer, Vienna VA
participants (3)
-
Joe Shaw
-
Richard Steenbergen
-
Toplez Razer