|
Home > Archive > CCIE > February 2002 > velometer dos attack
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
velometer dos attack
|
|
| kpsalami 2002-01-17, 11:09 pm |
| I may be answering my own question here but
need some reinforcement….
Q. We are proactively stress testing our new web site at work and use a
trialware app called Velometer to simulate database queries and user
sessions. I occurred to me that if someone wanted to bring down the site,
(and there are million dollar companies we’re putting out of business if the
site succeeds), all they make need to do is run Velometer, and simulate
3000 SQL queries to if not kill SQL, at least chew up our bandwidth.
So, to tie this into Cisco, what is the best defense???
I was thinking how do I limit bandwidth on a source address??
Do I use the IDS ?
OR,…..is that what that, “embryonic” PIX command is for???
The PIX would see the TCP sessions climb to an alarming rate, in an
alarming time span, and close the sessions to a configurable amount??
Believe it or not, this is a question!!
Help..
Kip Palmer | |
| MadChef 2002-01-18, 5:30 am |
| This is a good example of what TCP intercept on most firewalls would be good for. Unless you're completing the 3 way handshake (which would be dumb is you're a cracker since it would identify you; you would instead use forged source addresses) the firewall would either start dropping the half open connections in active mode or start sending FINs to the target if it was in passive mode.
Without doing this on a distributed basis, it would be very difficult to simply chew up a target's bandwidth. After all, how many people have an OC-3 set aside for mischievious uses?
MadChef | |
| chodan 2002-01-30, 7:44 pm |
| Intercepting such attacks "if distributed" on the PIX wouldn`t keep your bandwidth from getting hosed if for instance it is fairly limited.
If you have a good relationship with your ISP you could have them block that for you but I wouldn`t recomend it until after a attack.
Does this sound reasonable? | |
| kpsalami 2002-02-01, 2:54 am |
| Bandwidth is 5mg ATM.
So, what's actually going to catch and block it on the PIX? Floodgaurd? Embrionic sessions? Help..
Thanks |
|
|
|
|