lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AEEAKGKHCDMLEHCOGIBCAEFNCDAA.list.fulldisclosure@webscreen-technology.com>
From: list.fulldisclosure at webscreen-technology.com (Gareth Blades)
Subject: RE: Attack profiling tool?

Sorry but I disagree. Firewalls don't defent against connection floods
(naptha type attacks) very well at all.
Take Cisco PIX as an example which has a setting where you can limit the
maximum connection rate and the number of connections. The connection rate
for the attack is quite low so this won't help and although the firewall
will stop too many connections from being established to the web server this
is done as a general hard limit. Once the limit is reached then no other
connections are permitted though. This may stop a webserver from crashing
but it still leaves the website unavailable.
Firewall-1 is no better.

Statefull packet inspection won't help at all as the packets being sent are
100% valid.

Besides as I said originally our own defense product is sitting infront and
this does block this type of attack. The URL I pointed to with the packet
capture was produced by our product. I was wondering what tool it could be
doing this probing as I have seen the exact same profile of probing from at
least 4 different IP addresses.

> -----Original Message-----
> From: Abraham Lincoln [mailto:sunninja@...entist.com]
> Sent: Friday, July 11, 2003 12:44
> To: Gareth Blades
> Subject: Re: [Full-Disclosure] RE: Attack profiling tool?
>
>
>    Lotsa available solution for that. IP Stack tunning and web
> server such apache as u said... their are ways to set the rate
> limit properly... and beside if ur web server behind a stateful
> packet inspection fw it would prevent the attack the method of
> the attacker is quite old.
>
>
> ----- Original Message -----
> From: "Gareth Blades" <list.fulldisclosure@...screen-technology.com>
> Date: Fri, 11 Jul 2003 09:47:37 +0100
> To: "Fulldisclosure" <full-disclosure@...ts.netsys.com>
> Subject: [Full-Disclosure] RE: Attack profiling tool?
>
> > > From: Abraham Lincoln [mailto:sunninja@...entist.com]
> > > Sent: Friday, July 11, 2003 03:19
> > > To: Gareth Blades
> > > Subject: Re: Attack profiling tool?
> > >    no need for a expensive technology. block port 443 or if not
> > > possible use a proactive security module that would circumvent
> > > such attacks eg: linux security module that would intercept all
> > > calls if abnormal just kill it :) Not using expensive and
> > > signature/rule based technology. Like Anti-Virus its a protection
> > > against yesterday's threat as morning_wood say heh
> >
> > That will not work very effectivly against this type of attack.
> There are
> > tools you can use (and quite a good module for apache) which
> can be used to
> > limit the number of connections from particular clients.
> However if you set
> > the limit too low you block people coming in via the big proxy
> servers. If
> > you set the limit too high then the maximum number of connections can be
> > reached with a relativly small number of machines.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
> http://corp.mail.com/careers
>
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ