I can see 3 technologies which could mitigate the risk of this kind of dos: Traffic shaping IDS Firewall
Traffic shaping could help reduce the likelihood of this kind of attack. I only know little about dedicated product (packeteer, floodgate) and products partially implementing traffic shaping (cisco ios, alteon's web switches,nokia firewalls,...). I guess dedicated products can implement: -shaping on a per source basis. -restricting syn packets per source and minute. You can forget cisco ios traffic-shaping as well as nokia firewall's one, these seems too simple for this kind of thing. Alteon's web switches could be usefull as they are not limited to tcp, they also understand http. But I don't know how/if they implement some traffic shaping feature. I guess cisco's bigIP have similar features. IDS could also help. ISS Realsecure can restrict the number of http GET (per minute) from a single source. This kind of rule can also be implemented in snort. I guess symantec's netprowler and marcus's nfr also implement some kind of counter/flags. Some firewall, especially symantec's raptor, are able to restrict the number of http GET per minute from a single source. Checkpoint's firewall-1, with some inspect script, can also do this. All these solution have a major drawback: you could break connectivity from heavy proxies as you'll see traffic from hundreds of different clients hidden behind a single IP address. Michael Ungar wrote: > As demonstrated with the recent DOS attack on the World Economic > Forum's web site, tools are being made > available which assist users in downloading an applet to automatically > refresh against a target's home page; > thereby making the site unavailable if enough users have downloaded > and are running the applet. > Question 1 - In this type of attack, I've heard different opinions as > to whether an IDS would or would > not pick up the event since > a - url looks normal > b - three way handshake completes > c - traffic might be under url Although url looks normal, the overall traffic does not. A normal user will get the homepage, then its images, he will surf a little, then eventually come back to the homepage. Chances are the applet will load the same page repeatedly, or load successive page at regular interval, or ... An applet or any program can't emulate a human behavior, so there will be something different. Unfortunatly, even if it's not impossible for a program to discriminate between human behavior and robot behavior, it's at least very hard: you will probably face high false positive/negative rates. > Question 2 - Any best practices against this risk other than making > sure your site has much and > redundant bandwidth. In this kind of attack, the offenders are using their own IP address, making them eligible for prosecution, your losts could be payed back by your offenders. Although it's hard to prevent it efficiently before it happens (most product will provide you with simple triggers, no "inteligent" or adaptative algorithm), when the attack is under way, you may create more specific snort rules.
