Re: [TSG] Re: [logs] intrusion detection and log analysis [was: book advice]

• Previous message: Jason Haar: "Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• In reply to: Bennett Todd: "Re: [logs] intrusion detection and log analysis [was: book advice]"
• Next in thread: Mikael Olsson: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: bookadvice]"
• Reply: Mikael Olsson: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: bookadvice]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bennett Todd wrote:

>>there are a couple of IDS vendors that claim to do this -- they
>>tend to call themselves anomaly detection systems rather than
>>intrusion detection systems -- and i've yet to be convinced about
>>any of them. the only one i can think of is lancope, but rodney
>>probably knows better than i do. the statistical issues are huge,
>>because you've got to be able to characterize normal traffic in
>>real time with huge numbers of packets.
>>    
>>
>I've seen one that really convinced me: Mazu Networks
><URL:http://www.mazunetworks.com/>. Their tool is a lot more than an
>anomaly-detecting IDS, but that subset of its functionality is
>pretty impressive, at least on paper. They're dear enough that I've
>never seen one in operation.
>
An interesting company to cite. Mazu's main claim to fame (IIRC) is DDoS 
defense. DoS attacks are distinct from penetration attacks in that you 
pretty much cannot stop a pure DoS attack with access controls if your 
goal is to offer a public service, e.g. a web site. You *must* resort to 
content inspection (either NIDS or NIPS) to block DoS attacks, 
attempting to discern the subtle difference between legitimate requests 
and DoS traffic.

I predict that in a year or two, DDoS attacks will reach sufficient 
sophistication that they will become indistinguishable highly 
diversified natural traffic. This will cripple the Mazu approach. What 
will be left is:

    * traceback: follow the packets back to the source, discover the
      zombies, and have them shut down.
    * egress filtering: get most or all of the larger ISPs to do at
      least coarse-grained egress filtering, to limit the spoofability
      of source IP addresses. With spoofed source IP addresses
      constrained, the diversity of source addresses from hundreds of
      zombies is constrained, restoring at least a nominal ability of
      devices like Mazu to detect DDoS traffic.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Mikael Olsson: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: bookadvice]"
• Previous message: Jason Haar: "Re: [logs] Re: [TSG] intrusion detection and log analysis [was: book advice]"
• In reply to: Bennett Todd: "Re: [logs] intrusion detection and log analysis [was: book advice]"
• Next in thread: Mikael Olsson: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: bookadvice]"
• Reply: Mikael Olsson: "Re: [TSG] Re: [logs] intrusion detection and log analysis [was: bookadvice]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 07 2003 - 16:04:22 PST