tag:blogger.com,1999:blog-4088979.post110778582813676098..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Review of Internet Denial of Service PostedRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-4088979.post-1111108352711882472005-03-17T20:12:00.000-05:002005-03-17T20:12:00.000-05:00In the IDOS Book there's a statement in there that...In the IDOS Book there's a statement in there that "law enforcement" has yet to uncover or solve a "DDos for profit" , or hire, DDOS attack. I point you to a case out of the Newark , NJ FBI and U.S. Attorney's Office and press release regarding a Michigan man who hired a juvenile residing in NJ to commit DDoS attacks against his competitors. Arrests and prosecutions were made in this case. Interested parties could contact the Newark DIvision of the FBI and/or the United States Attorney's Office for background.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107891147589918602005-02-08T14:32:00.000-05:002005-02-08T14:32:00.000-05:00Communicating over blog comments is getting crazy....Communicating over blog comments is getting crazy. Would you mind emailing me at taosecurity at gmail dot com?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107889615125935912005-02-08T14:06:00.000-05:002005-02-08T14:06:00.000-05:00Sorry, I didn't mean to indicate that I was dissin...Sorry, I didn't mean to indicate that I was dissing your links. :) I think this all makes for good discussion on the matter. Anti-DDoS talk get's me all riled up since I have spent so much time hands-on dealing with the problem.<br /><br />As for the pictures... well Higbee found those somewhere and they made us giggle. Since we think many of the personalities in this industry are so very serious, we figured it would be refreshing to have some who don't.Trevorhttps://www.blogger.com/profile/12281134549524739274noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107889041146652902005-02-08T13:57:00.000-05:002005-02-08T13:57:00.000-05:00Never mind about the photos -- I just found them:
...Never mind about the photos -- I just found them:<br /><br />http://packetwerks.org/secureme/gertjonnys.jpg<br /><br />http://packetwerks.org/secureme/garvis.jpgRichard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107888699617849622005-02-08T13:51:00.000-05:002005-02-08T13:51:00.000-05:00Trevor, no problem. I've met two of you 70s-style...Trevor, no problem. I've met two of you 70s-style <A HREF="http://www.blogger.com/r?http%3A%2F%2Fsecureme.blogspot.com%2F">secureme</A> guys already so I knew you weren't trying to beat me. (Where did you get those pictures?) <br /><br />About D-WARD and DefCOM -- if I mention something, it's in no way an endorsement. I only recommend or discuss projects in detail if I try them personally. If I mention a link, it's more to jog my memory in the future. I hate keeping bookmarks, since they lack any context whatsoever. If I mention a URL or project in the context of a blog entry, at least I have a way to remember how I learned of it and what it relates to. D-WARD and DefCOM could be absolutely worthless from a practical point of view, but they're in a blog entry for me to reference later.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107888028442177622005-02-08T13:40:00.000-05:002005-02-08T13:40:00.000-05:00Richard - Sorry I didn't get the chance to introdu...Richard - Sorry I didn't get the chance to introduce myself over the weekend. :) Thanks for the reply.<br /><br />Its good to hear that they didn't go overboard with thinking that they provided a solution to the problem. A lot of people and companies do.<br /><br />Even D-Ward and DefCOM appear to be projects that require everyone to deploy the same hardware at the edges and transit networks. That doesn't work in complex high-capacity networks.Trevorhttps://www.blogger.com/profile/12281134549524739274noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107887045459226342005-02-08T13:24:00.000-05:002005-02-08T13:24:00.000-05:00Hi Trevor,
Thanks for your comment. Given your e...Hi Trevor,<br /><br />Thanks for your comment. Given your experience, you are probably not the target audience for this book! Rest assured that I did not finish reading IDOS and think "problem solved." Rather, I finished reading and thought "tough problem -- here are some ways to mitigate it." I think you would find the authors' advice sound since they do not presume to have solved the world's DoS problems. They are more interested in explaining the problem, its history, and ways admins, vendors, and researchers have approached it. While some vendors may be pushing snake oil, IDOS isn't.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1107880478734490672005-02-08T11:34:00.000-05:002005-02-08T11:34:00.000-05:00Disclaimer: I have not read this book.
The proble...Disclaimer: I have not read this book.<br /><br />The problem with nearly every single anti DDoS book, project, presentation, sales glossy, product demo, and white paper that I have seen is that they miss the core fact that this is a carrier problem. No matter what box you put infront of your network, once the flood becomes resource exhaustive, you're making a call to your ISP. There are all kinds of devices you can deploy at your ingress points and they will all tell you "the attack is coming from the internet". <br /><br />SYN floods are one of the more effective DoS attacks. Adding hardware just moves the problem around your network. Get a beefier router, ok now the problem is at the firewall. Upgrade your firewall. Ok now your switches are on fire. Ok upgraded switches, now your servers are dead. You just need to pick which box you want to burn. Every device has a buffer, and once the buffer is full, legit and attack traffic is getting dropped.<br /><br />I've personally responded to and mitigated hundreds of DoS attacks in my career at UUNET using access-lists and null routes and never once did any magic snake-oil box located at the customer site make a difference.<br /><br />Unless the struggling-for-profit and broke carriers deploy thousands of anti-DDoS devices all over their networks, this book and all the devices in that industry are pure snake-oil. Sure, you can drop in millions of dollars of hardware, move to Akami, etc. Now you are blowing millions so that one time maybe, probobly, in the future you are the target of a DoS attack, you are protected. That's not effective risk management.Trevorhttps://www.blogger.com/profile/12281134549524739274noreply@blogger.com