-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah I am going to go out on a limb and be contrary. What you are saying is not exactly clear to me but I am going to give it a shot anyway
Can't an ids look at the actual payload instead of the url & layer 3 - - layer 4 info? Are you talking about an ids on the client machine or the machine being attacked? ON the client machine you should not let the applet be downloaded in the first place. On the target I would think the ids would work the way I referenced up above. Further most automated programs continuously make the same kind of packets (ie the source port never changes, etc). So it would not be unusually hard for someone skilled at writing signatures to come up with one if they could get a packet dump and all the program's packets appear the same. Anyone disagree??? Cheers, Leon - -----Original Message----- From: Michael Ungar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 3:51 PM To: [EMAIL PROTECTED] Subject: Floodnet Controls As demonstrated with the recent DOS attack on the World Economic Forum's web site, tools are being made available which assist users in downloading an applet to automatically refresh against a target's home page; thereby making the site unavailable if enough users have downloaded and are running the applet. Question 1 - In this type of attack, I've heard different opinions as to whether an IDS would or would not pick up the event since a - url looks normal b - three way handshake completes c - traffic might be under url I'm under the assumption the IDS would not catch 'cause of reasons a - c above. Any views to the contrary ? Question 2 - Any best practices against this risk other than making sure your site has much and redundant bandwidth. Thanks.....Mike Ungar __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPGv8+NqAgf0xoaEuEQJ7+ACgkxt2LKLyoIHL46e5yygfz2WlBBQAoK2g HRbqu73LGca9SMSLAZjxdzIw =+gYE -----END PGP SIGNATURE-----
