dos attack solution or not

[aha]

Archived from groups: comp.security.firewalls (More info?)

a dos attack happens when 1000's pc sends out 1000's calls for connection
request ,why can a firewall
not count the number of req from a ip number to the server and grant only
one req every 20 sec or so ?
this way the server is shielded from the attacker.

or is this way to simple,
abe
--











remove x in mail adress to reply

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

> a dos attack happens when 1000's pc sends out 1000's calls for connection
> request ,why can a firewall
> not count the number of req from a ip number to the server and grant only
> one req every 20 sec or so ?
> this way the server is shielded from the attacker.
>

DOS attacks usually work best when the server actually tries to respond to
the attacks, although this is not always the case. The respond actually adds
to the bandwidth or adds to the processing time and the best thing it can do
is to remain silent.

I believe some firewalls used the ip request count in determining an attack
but there is more than one way to reduce the risk.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"aha" <c> wrote in news:40dfc386$0$124$1b2cd167@news.wanadoo.nl:

> a dos attack happens when 1000's pc sends out 1000's calls for connection
> request ,why can a firewall
> not count the number of req from a ip number to the server and grant only
> one req every 20 sec or so ?
> this way the server is shielded from the attacker.
>
> or is this way to simple,
> abe

I don't know. To me, just setting a network FW to not respond to pings may
be a viable solution. Or the ability to set rules on a FW appliance to
block the IP for a certain amount of time would be viable also.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <40dfc386$0$124$1b2cd167@news.wanadoo.nl>, "aha" <c> says...
> a dos attack happens when 1000's pc sends out 1000's calls for connection
> request ,why can a firewall
> not count the number of req from a ip number to the server and grant only
> one req every 20 sec or so ?
> this way the server is shielded from the attacker.

A firewall CAN detect this type of attack and stop it, but you need a
real FIREWALL, not some cheap router disguised as a firewall to get this
feature. All of the WatchGuard Firebox line has been able to protect
against this type of attack for as long as I've known about WG product.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"aha" <c> wrote:

> a dos attack happens when 1000's pc sends out 1000's calls for
> connection request

No. That's a DDoS (Distributed Denial of Service). A DoS is an attack
where a single attacker shuts down your server by exploiting a bug. A
DDoS is where your server gets overwhelmed by too much traffic.

Juergen Nieveler
--
Bill Bush is hot indicating Fax encryption doesn't work meaning Jim
Wright votes to block NORAD,TUSA and Jiang Zemin.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"aha" <c> wrote in news:40dfc386$0$124$1b2cd167@news.wanadoo.nl:

> a dos attack happens when 1000's pc sends out 1000's calls for connection
> request ,why can a firewall
> not count the number of req from a ip number to the server and grant only
> one req every 20 sec or so ?
> this way the server is shielded from the attacker.
>
> or is this way to simple,
> abe

With a dDos you dont have many options. You could theoretically rate-limit
your inbound protocols. Whilst this would stop your services from
accepting too many inbound connections, it would not stop your ISP facing
connection from being swamped with all those incoming requests.

You could work with your ISP to make sure your links from the ISP are also
suitably filtered (however most places Ive seen dont do this).

SysAdm

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

SysAdm <me@here.com> wrote:

> blocking the source IP for a timelimit is also a potential nightmare
> as the source IP in a dDos attack is usually a zombie.

Or worse, it's spoofed and pretends to be your own server or something
else that you'd rather want to work...

Juergen Nieveler
--
Am I wise, or otherwise?

 

[Dave]

Archived from groups: comp.security.firewalls (More info?)

That is basically what a good firewall with DoS protection does.
Just look at the settings on a typical unit and you'll see packet
numbers and time thresholds.

Dave


On Mon, 28 Jun 2004 09:06:49 +0200, "aha" <c> wrote:

>a dos attack happens when 1000's pc sends out 1000's calls for connection
>request ,why can a firewall
>not count the number of req from a ip number to the server and grant only
>one req every 20 sec or so ?
>this way the server is shielded from the attacker.
>
>or is this way to simple,
>abe

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Because if a big companys website let's you wait 20 sec or bans you
for surfing too fast, you will leave.

----------------------------------------------
Posted with NewsLeecher v1.0 beta 25
* Binary Usenet Leeching Made Easy
* http://www.newsleecher.com/?usenet
----------------------------------------------