* J sez:
: Jonas and group:
:
: I encourage you to examine Captus Networks' solution. Their box stops DoS
: attacks (from passing their box to your network.) I/We've been testing it
: for about two weeks now. It really does what they say.
Well Captus has managed to put something in a 1U box, we have to give
'em that :). As an ex-Consultant and now Start-Up-Founder, I've always
been looking for disclosure. I can't legitimately recommend something to
a client by repeating the box' sellers sales pitch. Captus has so far
failed to explain to me, what the difference between their appliance and
an OpenBSD Box with SNORT/SPADE and ipf is. Well, other than the price,
that is. By running SNORT/SPADE one is sufficiently able to detect DoS
patterns and inject rules into ipf. Some smaller changes to ipf allow
for 'expiring' rules based on time and threshold supplied when setting
up the rule.
There's, of course, some problem in setting things up. Captus provides
quite a nice appliance in terms of maintenance and setup, the Captio-G
adds Gig-E, which is especially fine. On the other hand, a company like
Silicon Defense [1] could do the same, using OpenSource technology that'd
let you replicate the setup in minutes for the price of the hardware
(and that'd be 4 Quad-Ethernet cards, either GigeE or 100BaseT, some
faster machine and a 255M flash-Harddisk).
[1] Silicon Defense (www.silicondefense.com) are the guys who contribute
heavily to SNORT and are, amongst other things, the creators of SPADE.
They do provide pretty decent SNORT Consulting, I've been told. (I have
nothing to do with them, other than knowing what they do).
: Yes, if your upstream provider (say, Pac Bell) isnt' protecting you,
: your T1 can saturate, effectively DoS'ng you. The traffic will not
: traverse their box and make it to your network, however.
How's load testing doing? Does is actually work in 800k legitimate/200k
illegitimate traffic scenarios? How about the threat of being completely
locked down (DoSed :) if the attacker spoofes random source points
that are frequently used? Can I supply whitelists?
PGP signature
