Hurgel Bumpf skrev:
> Hi List,
>
> i need to protect a "realtime" website with an inline IPS from (D)DOS attacks.

An IPS is not the solution if this is just to protect against DDoS, as
many are saying already.
It is to close to your infrastructure...

>
> I had some bad experience with Tippingpoint UnityOne 2400 field test. The device dropped to much sessions until all connectivity was lost.
> After that no investigation was not possible as TP logs all attack information with IP address 0.0.0.0

What "DDoS" filter gave you these hits? What was the test?
Doesn't sound like the attack was an application level attack, but more
like a network attack...which, as I say above, an IPS won't help you
with, since your connections are clogged anyway.

>
> The vendor excused this with the layered technology and passing the IP address from the hardware to the logger would lead to delayed packages)
>
> This is unacceptable.
>
> i'm now looking forward to test a Cisco IPS 4270-20 and a McAfee Network Security 4050 appliance.
>
> Who has a good/bad experience with that devices? Is it true that all devices don't log ip adresses?

In some scenarios, the inline devices are having issues with logging
IPs. Just like you will have issues going through all IPs in a bot net
DDoS attack as well. And what do you need the IPs for? Do you have the
man power to go through several thousand IPs? ;)

>
> My dream appliance would be able to run like in a 7 day learning mode which counts max new sessions per second, max sessions per client aso. After this 7 days it creates a filter with +x% of the learned values and sets these limits active.
>
> A big problem is that i have to install it into the productive system to get the real values. I dont have any fixed values regarding the new sessions per second and i cant just guess and set values and render the system offline.

http://netoptics.com/ or
http://www.vssmonitoring.com/products/overview.asp might help you with
this. You can get your solution to look at the real traffic without
interfering.

>
> All information is highly appreciated!
>
> Thank you very much for your time,
>
> Andre
>

If you are affraid of network based DDoS attacks, talk to your ISP to
see what services they are offering, or look at a netflow solution and
see if you can do something with BGP in your infrastructure.

If you are affraid of application level based DDoS, an IPS or
Application Firewall might help, though I've heard stories of
configuration nightmares with the latter ones.

But it is very rare that you'll find the solution to DDoS threats with a
box on the wire by itself...

>
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]