Monday, February 07, 2005

Review of Internet Denial of Service Posted just posted my five star review of Internet Denial of Service. From the review:

"'Internet Denial of Service' (IDOS) is an excellent book by expert authors. IDOS combines sound advice with a fairly complete examination of the denial of service (DoS) problem set. Although the authors write from the DoS point of view, as a network security monitoring advocate I found myself agreeing with many of their insights. Since there are no other books dedicated to DoS, I was very pleased to find this one is a powerful resource for managers and technicians alike."

The "RST scan" controversy mentioned in the review refers to my paper Interpreting Network Traffic. I discussed the issue in The Tao as well.

Two interesting projects I intend to research further are D-WARD and DefCOM.


Trevor said...

Disclaimer: I have not read this book.

The problem with nearly every single anti DDoS book, project, presentation, sales glossy, product demo, and white paper that I have seen is that they miss the core fact that this is a carrier problem. No matter what box you put infront of your network, once the flood becomes resource exhaustive, you're making a call to your ISP. There are all kinds of devices you can deploy at your ingress points and they will all tell you "the attack is coming from the internet".

SYN floods are one of the more effective DoS attacks. Adding hardware just moves the problem around your network. Get a beefier router, ok now the problem is at the firewall. Upgrade your firewall. Ok now your switches are on fire. Ok upgraded switches, now your servers are dead. You just need to pick which box you want to burn. Every device has a buffer, and once the buffer is full, legit and attack traffic is getting dropped.

I've personally responded to and mitigated hundreds of DoS attacks in my career at UUNET using access-lists and null routes and never once did any magic snake-oil box located at the customer site make a difference.

Unless the struggling-for-profit and broke carriers deploy thousands of anti-DDoS devices all over their networks, this book and all the devices in that industry are pure snake-oil. Sure, you can drop in millions of dollars of hardware, move to Akami, etc. Now you are blowing millions so that one time maybe, probobly, in the future you are the target of a DoS attack, you are protected. That's not effective risk management.

Richard Bejtlich said...

Hi Trevor,

Thanks for your comment. Given your experience, you are probably not the target audience for this book! Rest assured that I did not finish reading IDOS and think "problem solved." Rather, I finished reading and thought "tough problem -- here are some ways to mitigate it." I think you would find the authors' advice sound since they do not presume to have solved the world's DoS problems. They are more interested in explaining the problem, its history, and ways admins, vendors, and researchers have approached it. While some vendors may be pushing snake oil, IDOS isn't.

Trevor said...

Richard - Sorry I didn't get the chance to introduce myself over the weekend. :) Thanks for the reply.

Its good to hear that they didn't go overboard with thinking that they provided a solution to the problem. A lot of people and companies do.

Even D-Ward and DefCOM appear to be projects that require everyone to deploy the same hardware at the edges and transit networks. That doesn't work in complex high-capacity networks.

Richard Bejtlich said...

Trevor, no problem. I've met two of you 70s-style secureme guys already so I knew you weren't trying to beat me. (Where did you get those pictures?)

About D-WARD and DefCOM -- if I mention something, it's in no way an endorsement. I only recommend or discuss projects in detail if I try them personally. If I mention a link, it's more to jog my memory in the future. I hate keeping bookmarks, since they lack any context whatsoever. If I mention a URL or project in the context of a blog entry, at least I have a way to remember how I learned of it and what it relates to. D-WARD and DefCOM could be absolutely worthless from a practical point of view, but they're in a blog entry for me to reference later.

Richard Bejtlich said...

Never mind about the photos -- I just found them:

Trevor said...

Sorry, I didn't mean to indicate that I was dissing your links. :) I think this all makes for good discussion on the matter. Anti-DDoS talk get's me all riled up since I have spent so much time hands-on dealing with the problem.

As for the pictures... well Higbee found those somewhere and they made us giggle. Since we think many of the personalities in this industry are so very serious, we figured it would be refreshing to have some who don't.

Richard Bejtlich said...

Communicating over blog comments is getting crazy. Would you mind emailing me at taosecurity at gmail dot com?

Anonymous said...

In the IDOS Book there's a statement in there that "law enforcement" has yet to uncover or solve a "DDos for profit" , or hire, DDOS attack. I point you to a case out of the Newark , NJ FBI and U.S. Attorney's Office and press release regarding a Michigan man who hired a juvenile residing in NJ to commit DDoS attacks against his competitors. Arrests and prosecutions were made in this case. Interested parties could contact the Newark DIvision of the FBI and/or the United States Attorney's Office for background.