Sorry but I disagree. Firewalls don't defent against connection floods (naptha type attacks) very well at all. Take Cisco PIX as an example which has a setting where you can limit the maximum connection rate and the number of connections. The connection rate for the attack is quite low so this won't help and although the firewall will stop too many connections from being established to the web server this is done as a general hard limit. Once the limit is reached then no other connections are permitted though. This may stop a webserver from crashing but it still leaves the website unavailable. Firewall-1 is no better.
Statefull packet inspection won't help at all as the packets being sent are 100% valid. Besides as I said originally our own defense product is sitting infront and this does block this type of attack. The URL I pointed to with the packet capture was produced by our product. I was wondering what tool it could be doing this probing as I have seen the exact same profile of probing from at least 4 different IP addresses. > -----Original Message----- > From: Abraham Lincoln [mailto:[EMAIL PROTECTED] > Sent: Friday, July 11, 2003 12:44 > To: Gareth Blades > Subject: Re: [Full-Disclosure] RE: Attack profiling tool? > > > Lotsa available solution for that. IP Stack tunning and web > server such apache as u said... their are ways to set the rate > limit properly... and beside if ur web server behind a stateful > packet inspection fw it would prevent the attack the method of > the attacker is quite old. > > > ----- Original Message ----- > From: "Gareth Blades" <[EMAIL PROTECTED]> > Date: Fri, 11 Jul 2003 09:47:37 +0100 > To: "Fulldisclosure" <[EMAIL PROTECTED]> > Subject: [Full-Disclosure] RE: Attack profiling tool? > > > > From: Abraham Lincoln [mailto:[EMAIL PROTECTED] > > > Sent: Friday, July 11, 2003 03:19 > > > To: Gareth Blades > > > Subject: Re: Attack profiling tool? > > > no need for a expensive technology. block port 443 or if not > > > possible use a proactive security module that would circumvent > > > such attacks eg: linux security module that would intercept all > > > calls if abnormal just kill it :) Not using expensive and > > > signature/rule based technology. Like Anti-Virus its a protection > > > against yesterday's threat as morning_wood say heh > > > > That will not work very effectivly against this type of attack. > There are > > tools you can use (and quite a good module for apache) which > can be used to > > limit the number of connections from particular clients. > However if you set > > the limit too low you block people coming in via the big proxy > servers. If > > you set the limit too high then the maximum number of connections can be > > reached with a relativly small number of machines. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- > __________________________________________________________ > Sign-up for your own FREE Personalized E-mail at Mail.com > http://www.mail.com/?sr=signup > > CareerBuilder.com has over 400,000 jobs. Be smarter about your job search > http://corp.mail.com/careers > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
