On Oct 13, 2007, at 11:01 PM, Ahsan Khan wrote:
This would
create enough cushions for an administrator to react and remedy an
attack.
DDoS attacks are attacks against capacity and/or against state. The
most effective strategy to handle DDoS within one's own span of
control (not including coordination with others, which will be
necessary in the event of a serious and ongoing attack) is to design
the entire system (network, hosts, apps, et. al.) in order to
maximize capacity and minimize state vectors, while providing
sufficient instrumentation and telemetry for visibility (such as
NetFlow-based anomaly-detection), and sufficient mitigation/reaction
mechanisms to assert control.
There are various reaction techniques mechanisms such as S/RTBH,
QPPB, and dedicated DDoS scrubbing systems which can be used to react
effectively to DDoS attacks; typically, these mechanisms instantiate
little or no state in the network, do not require symmetric traffic
flows (or indeed to interact with 'outbound' traffic at all, assuming
the DDoS in question is an inbound one). Policy enforcement
mechanisms may deliberately instantiate state as part of their
operational paradigms, but that is a different application which
isn't directly related to mitigating DDoS.
-----------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
I don't sound like nobody.
-- Elvis Presley
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
