On Apr 21, 2012, at 4:39 PM, fireba...@hushmail.com wrote:
http://pdfcast.org/pdf/attacking-critical-internet-infrastructure
This is a .pdf of a presentation on best current practices (BCPs) for
protecting routers and layer-3 switches from DDoS attacks:
On Jul 26, 2011, at 10:35 PM, Fernando Gont wrote:
They contain quite a few insights about IPv6 security, along with a number of
practical examples.
Good stuff!
A few observations:
1. By prepending lots of extension headers to packets, it may be possible
to exhaust router ASIC/TCAM
On Jul 11, 2011, at 1:29 AM, Maxim Veksler wrote:
I would appreciate pointers to reading / video / forum material.
This video captures the essence of social engineering:
http://www.youtube.com/watch?v=dQw4w9WgXcQ
---
Roland
On Jun 27, 2011, at 9:30 AM, 김무성 wrote:
if there are many 408 request timeout responses, we can think this is
slowloris or RUDY DDoS attack.
Many things can cause this - not just DDoS. In fact, I've rarely seen a DDoS
resulting in these responses, because in an effective DDoS, one often
On Jun 15, 2011, at 1:31 PM, Jeffrey Walton wrote:
I'm not used to Apple releasing a lone update like this (perhaps my
observations are inaccurate).
Apple's commentary on the patch from the Software Update details screen:
-
Resolves an issue that caused the AirPort Utility to
On May 20, 2011, at 8:43 PM, ascii wrote:
the attack you proposed is very stretched and has an extremely low
efficiency.
I believe that the 'attack' is actually backscatter from a targeted attack
against the MTAs/antispam systems/recursive DNS servers of the organization
whose MTAs were
On May 19, 2011, at 9:44 PM, minor float wrote:
Dear list readers, on today we officially published our observations
regarding the new attack vector of the DDoS against the DNS servers.
Filtering out the bogus DNS queries generated by the MX-record lookups is
pretty trivial with modern
On May 11, 2011, at 4:22 PM, phocean wrote:
So why going private?
Because full-disclosure isn't the best forum for a lengthy discussion of this
type.
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
On May 11, 2011, at 4:52 PM, phocean wrote:
I want to read how you justify that stateful hardware is useless to check
sessions of TCP and upper protocols.
In front of servers, where there is no state to inspect.
---
Roland
On May 11, 2011, at 6:05 PM, phocean wrote:
Passive FTP is the first example that comes to my mind where inspection
(based on statefulness) is needed.
I really don't want to continue this on full-disclosure, but there's still no
material security value to stateful inspection in front of
On May 11, 2011, at 10:03 PM, phocean wrote:
- DDoS : anyway, a firewall isn't more susceptible to DoS than the server it
protects. If you look at the hardware performance of modern
firewalls, if an attacker has the ability to DoS it, then only a considerable
server farm that very few
On May 12, 2011, at 12:09 AM, phocean wrote:
I still don't see how the hell the typical web server will handle as much
traffic as one of these Checkpoint, Cisco or whatever monsters.
That's the dread secret - they aren't really 'monsters'.
But on a large network with inter-vlan filtering,
On May 12, 2011, at 12:20 AM, phil wrote:
(and I add that on private IOS like on sonicwall, it make it hard to hit with
a 0day vuln)
Everyone/everything has vulnerabilities of one sort or another:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8232
On May 12, 2011, at 12:31 AM, phocean wrote:
When I look at the specs of high end machines of most makers, they are and
they outmatch most of x64 servers.
http://urbanairship.com/blog/2010/09/29/linux-kernel-tuning-for-c500k/
On May 12, 2011, at 3:49 AM, phocean wrote:
To go back to my point: an application server (IIS, Apache) cannot sustain as
many connections as a firewall (of course in a sane and standard environment).
Sorry, but my operational experience is quite the opposite. And one generally
deploys
On May 10, 2011, at 1:40 PM, Tracy Reed wrote:
If you have traffic going out to a high numbered port and you are not keeping
state how do you know if that is a
reply packet to an existing inbound connection or if it is an unauthorized
outbound connection?
You use stateless ACLs to filter
On May 10, 2011, at 4:42 PM, Pete Smith wrote:
if an attacker initiates a connection dest port higher than 2048 (to some
other server the attacker controls) and source port of 80 that will pass
through an ACL without issues, this would not be so on a stateful firewall.
If the attacker's
On May 10, 2011, at 8:53 PM, Bruno Cesar Moreira de Souza wrote:
The stateless ACLs would not prevent ACK tunneling
(http://ntsecurity.nu/papers/acktunneling/).
Again, if an attacker's already in a position to do that, the game is already
over.
On May 10, 2011, at 10:45 PM, Thor (Hammer of God) wrote:
There are any number of topological deployment scenarios where firewalls
certainly provide security in depth and added security, irrespective of what
Mr. Kaeo's opinion on the matter is.
The only one I can think of is between a
On May 11, 2011, at 4:01 AM, Thor (Hammer of God) wrote:
HTTP may be stateless, but the TCP connection isn't. The purpose for my
firewall in front of my web server is that if you get on the box, or can
somehow try to initiate an external connection (e.g. SQL injection), you will
not be
On May 11, 2011, at 12:52 AM, Bruno Cesar Moreira de Souza wrote:
How would you block an ACK tunnel using only a packet filter?
(http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd
service to create this kind of tunnel, as the packets from the attacker would
just be
On May 11, 2011, at 6:51 AM, Thor (Hammer of God) wrote:
My experience is quite different, and I have personally seen too many instances
to count where the use of firewalls has, without question, been what has saved
a company.
I would be extremely interested to learn details of how a stateful
On May 11, 2011, at 7:18 AM, Thor (Hammer of God) wrote:
Let's take it offline - you can share back with the group if you feel it
valuable.
Sounds good to me, thanks much!
---
Roland Dobbins rdobb...@arbor.net //
On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote:
Maybe they should call that You don't have to patch genius!
Stateful firewalls have no place in front of servers, where every incoming
request is unsolicited, and therefore there is no state to inspect in the first
place. Stateful
On Jul 14, 2010, at 6:28 PM, MustLive wrote:
In which I wrote particularly about creating of botnet from zombie-servers
(which is a new type of botnets).
A more appropriate name for this sort of attack might be an 'application
reflection attack', as it's similar in concept to making use of
On Jul 9, 2010, at 10:49 PM, Dario Ciccarone (dciccaro) wrote:
Cisco Security Advisory: Vulnerabilities in SNMP Message
Processing - which can be found at
http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml .
The bug ID on our bug database being CSCed68575.
This is a
On Jul 2, 2010, at 4:45 PM, Florian Weimer wrote:
Those bugs might not be security-relevant, but they can be very annyoing
nevertheless.
I agree, if it's bugs we're discussing - my guess is, we aren't dealing with a
bug in this instance, given that the original poster seemed to indicate a
On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote:
There it is again, BCP. Is this the new IDS ?
BCP = Best Current Practice = iACLs, CoPP, et. al.
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote:
If it is a default configuration and you can remotely cause a
denial of service condition : it is a vulnerability.
If it is a non standard configuration and you can remotely cause a
denial of service condition : it is
On Jul 2, 2010, at 5:54 PM, Champ Clark III [Softwink] wrote:
Accidental 'DoS' conditions seem to pop-up a lot in these environments,
IMHO.
Availability is the most important, yet least-understood element of the C-I-A
triad, IMHO. And not just on public-facing networks, but in private
On Jul 2, 2010, at 7:43 PM, Thierry Zoller wrote:
Was not aware of the acronym - BCP is generally used for Business
continuity plan in
the industry.
I remember an interview with RMS many years ago; he was asked what he thought
was the most pressing problem in computer science.
After
On Jul 3, 2010, at 2:05 AM, Mailing lists at Core Security Technologies wrote:
Perhaps we should too ask and wait for actual data from Mr. Shang
I acknowledged this deeper in the thread - and also noted that since I've seen
the same kind of reported behavior not above two or three hundred
On Jul 1, 2010, at 4:28 PM, Thierry Zoller wrote:
If this is possible you have found a vulnerability.
No - what he's found is a network in which common infrastructure
self-protection BCPs haven't been deployed, that's all.
On Jul 1, 2010, at 5:23 PM, Thierry Zoller wrote:
If a device crashes when being scanned - it's a vulnerability.
It sounds to me as if what happened was that he ended up driving the CPUs of
the devices in question to 100%, and they stopped handling control-plane
traffic and fell over. There
On Jul 1, 2010, at 11:12 PM, Florian Weimer wrote:
And it's certainly a bug worth fixing.
I doubt it's a 'bug' which can be 'fixed', just the same as sending enough
legitimate HTTP requests to a Web server to bring it to its knees isn't a 'bug'
which can be 'fixed', but rather a DoS which
On Jul 2, 2010, at 7:01 AM, Dan Kaminsky wrote:
Permanent DoS's are unacceptable even from intentionally malicious traffic,
let alone a few nmap flags. They're unacceptable to us, they're unacceptable
to Microsoft (see: MSRC bug bar), and even Cisco PSIRT has shown up on thread
desiring
On Jul 2, 2010, at 8:13 AM, Lee wrote:
so presumably the scan came from a network that had full access to the
routers.
One question is whether or not the network in question *should* have full
access to the management plane of the routers.
;
That's a bit harder to defend against.
On Mar 9, 2010, at 11:01 PM, valdis.kletni...@vt.edu wrote:
Oh, I didn't say they didn't exist.
A good way to get started w/scalable DDoS mitigation is to implement S/RTBH on
one's hardware-based edge routers, and then make use of open-source NetFlow
tools for visibility.
There are
38 matches
Mail list logo
