Thank you for the corrections.

I guess I should have said ACL and firewalls alone are not sufficient
as these can block only known attack methodologies or defined traffic.

On Thu, Apr 26, 2012 at 8:35 AM, _ <packetnull (at) gmail (dot) com [email concealed]> wrote:
> to add on this DoS/DDoS/DRDoS are usually based on timing and amount of connections ACL's are a first line of defense.  Nasty little buggers they are attackers will try to "deny" service from layers 3 to 7. thats why security folks come up with new fancy terms like NGFW's same thing bonded together�
>
>
>
> On Apr 24, 2012, at 3:58 PM, "David Gillett" <gillettdavid (at) fhda (dot) edu [email concealed]> wrote:
>
>> From: Don Thomas [mailto:don.thomasjacob (at) gmail (dot) com [email concealed]] wrote:
>>
>>> 1st you need to think beyond your network firewalls and ACL on the router.
>> Firewalls and ACL can never stop DoS attacks as they can stop only
>> information you have asked it
>>> to stop.
>>
>>  Ooops.  You've provided no argument that establishes that we cannot ask
>> firewalls or ACLs to block DoS/DDoS attacks....
>>
>>  There *are* two relevant limitations of firewalls and ACLs, but they're
>> not what you suggest here:
>>
>> 1.  Firewalls and ACLs effectively classify traffic into three categories:
>> known good, known bad, and unknown.  They may have to base this
>> categorization on inadequate information -- for instance, to an ACL there's
>> no easy way to distinguish a simple ping from a ping-of-death.  Sometimes
>> the only real difference between legitimate traffic and a DoS/DDoS is the
>> rate of such traffic; ACLs provide no way to specify this, and not all
>> firewalls do either...
>>
>> 2.  A firewall or ACL can only act on traffic that reaches the location
>> where it is implemented.  In some cases, a DoS/DDoS attack may do its damage
>> before reaching that point.  For instance, a trivial brute-force bandwidth
>> consumption attack will probably manage to saturate the ISP connection
>> regardless of whether it is blocked once it arrives at the target's site.
>>
>>  Disproof by counterexample: My ACLs block some specific DoS attacks that
>> used to knock us off the Internet routinely.
>>
>> David Gillett, CISSP CCNP
>>
>>
>> ------------------------------------------------------------------------

>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>> ------------------------------------------------------------------------

>>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]