> Message: 1 > Date: Fri, 07 Nov 2003 13:00:58 -0800 > From: Crispin Cowan <crispin@private> > Subject: Re: [TSG] Re: [logs] intrusion detection and log > analysis [was: book advice] > > An interesting company to cite. Mazu's main claim to fame > (IIRC) is DDoS defense. DoS attacks are distinct from > penetration attacks in that you pretty much cannot stop a pure > DoS attack with access controls if your > goal is to offer a public service, e.g. a web site. You *must* > resort to content inspection (either NIDS or NIPS) to block > DoS attacks, attempting to discern the subtle difference > between legitimate requests and DoS traffic. > > I predict that in a year or two, DDoS attacks will reach > sufficient sophistication that they will become > indistinguishable highly diversified natural traffic. This > will cripple the Mazu approach. What will be left is: > > * traceback: follow the packets back to the source, > discover the zombies, and have them shut down. > * egress filtering: get most or all of the larger ISPs to > do at least coarse-grained egress filtering, to limit the > spoofability of source IP addresses. <snip> This is OT for loganalysis, but what's your feeling about syn cookies as the defense against dos/ddos? Binky __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Nov 09 2003 - 11:08:57 PST