Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How effective is software at blocking L4 attacks?
#1
The big question asked among a few noob admins. How effective is it really?
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#2
Ambiguous question. Are we talking spoofed, distributed, what? Layer 4 is not an attack vector - it's just a classification of what layer of the OSI model the attack vector is targeting.

For each attack vector, there is generally a corresponding mitigating technique. Additionally, mitigation techniques generally are implemented as part of the overall topology and design as opposed to a simple piece of software on a host.

For an example, check out S/RTBH with unicast reverse path validation (uRPF).

Here's some additional reading material:

http://www.ripe.net/ripe/mail/archives/s...00019.html
http://tools.ietf.org/html/bcp38
http://ftp.ftp-eng.cisco.com/cons/worksh...dule17.pdf
http://packetlife.net/blog/2010/aug/23/s...ased-rtbh/


Zane
Reply
#3
(03-22-2014, 09:31 PM)Mr. Zane Wrote: Ambiguous question. Are we talking spoofed, distributed, what? Layer 4 is not an attack vector - it's just a classification of what layer of the OSI model the attack vector is targeting.

For each attack vector, there is generally a corresponding mitigating technique. Additionally, mitigation techniques generally are implemented as part of the overall topology and design as opposed to a simple piece of software on a host.

For an example, check out S/RTBH with unicast reverse path validation (uRPF).

Here's some additional reading material:

http://www.ripe.net/ripe/mail/archives/s...00019.html
http://tools.ietf.org/html/bcp38
http://ftp.ftp-eng.cisco.com/cons/worksh...dule17.pdf
http://packetlife.net/blog/2010/aug/23/s...ased-rtbh/


Zane

Most DDoS tools seem to be using spoofed attacks now 'a days. Are there any tools effective at mitigating at it at software/server level?
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#4
(03-24-2014, 02:32 AM)Schultz Wrote:
(03-22-2014, 09:31 PM)Mr. Zane Wrote: Ambiguous question. Are we talking spoofed, distributed, what? Layer 4 is not an attack vector - it's just a classification of what layer of the OSI model the attack vector is targeting.

For each attack vector, there is generally a corresponding mitigating technique. Additionally, mitigation techniques generally are implemented as part of the overall topology and design as opposed to a simple piece of software on a host.

For an example, check out S/RTBH with unicast reverse path validation (uRPF).

Here's some additional reading material:

http://www.ripe.net/ripe/mail/archives/s...00019.html
http://tools.ietf.org/html/bcp38
http://ftp.ftp-eng.cisco.com/cons/worksh...dule17.pdf
http://packetlife.net/blog/2010/aug/23/s...ased-rtbh/


Zane

Most DDoS tools seem to be using spoofed attacks now 'a days. Are there any tools effective at mitigating at it at software/server level?



Generally not. Then again, this is coming from a network guy's perspective. I tend to look down on the server guys ^_^

Plus, a lot of my experience is on the provider side, not the end-user side.
Reply
#5
Doesn't most of the protection have to be server side?

Best regards,
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply
#6
(03-26-2014, 06:09 PM)Siberia Wrote: Doesn't most of the protection have to be server side?

Best regards,
-Siberia


Generally, for DDoS / DoS - the protection needs to be implemented up stream. Server-side hardening is more for application layer exploitation of vulnerable code, applications, etc.

Consider this... your server has a 10Mb/s internet connection, and I am forwarding 10Gb/s of traffic to your box. Your line is going to be completely saturated and unable to satisfy any subsequent legitimate requests that come in during the flood. In this case, upstream filtering and S/RTBH would be necessary (note, this is why we care about BCP 38 with uRPF... so we don't have to deal with this crap anymore).

Now, if you're thinking more along the lines of half-open embryonic TCP connections... even then you can filter that at your network edge. Examples follow:

Old as fuck: http://www.cisco.com/c/en/us/td/docs/ios...fdenl.html


Somewhat new:
http://www.cisco.com/c/en/us/td/docs/sec...#wp1179119


But yeah, for attack vectors leveraging half open sockets / stealthy resource consumption methods, it's usually best to harden at the server side in conjunction with network edge filtering.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)