[logs] Re: DDos, Mazu [was: intrusion detection and log analysis]

From: Michael Batchelder (piranhabros@private)
Date: Sat Nov 08 2003 - 14:28:35 PST

  • Next message: Mikael Olsson: "Re: [logs] Re: DDos, Mazu [was: intrusion detection and log analysis]"

    > Message: 1
    > Date: Fri, 07 Nov 2003 13:00:58 -0800
    > From: Crispin Cowan <crispin@private>
    > Subject: Re: [TSG] Re: [logs] intrusion detection and log
    > analysis [was: book advice]
    >
    > An interesting company to cite. Mazu's main claim to fame
    > (IIRC) is DDoS defense. DoS attacks are distinct from
    > penetration attacks in that you pretty much cannot stop a pure
    > DoS attack with access controls if your 
    > goal is to offer a public service, e.g. a web site. You *must*
    > resort to content inspection (either NIDS or NIPS) to block
    > DoS attacks, attempting to discern the subtle difference
    > between legitimate requests and DoS traffic.
    > 
    > I predict that in a year or two, DDoS attacks will reach
    > sufficient sophistication that they will become
    > indistinguishable highly diversified natural traffic. This
    > will cripple the Mazu approach. What will be left is:
    > 
    >     * traceback: follow the packets back to the source,
    >       discover the zombies, and have them shut down.
    >     * egress filtering: get most or all of the larger ISPs to
    >       do at least coarse-grained egress filtering, to limit
    the
    >       spoofability of source IP addresses.
    <snip>
    
    This is OT for loganalysis, but what's your feeling about syn
    cookies as the defense against dos/ddos?
    
    Binky
    
    __________________________________
    Do you Yahoo!?
    Protect your identity with Yahoo! Mail AddressGuard
    http://antispam.yahoo.com/whatsnewfree
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Sun Nov 09 2003 - 11:08:57 PST