"Captus has so far
failed to explain to me, what the difference between their appliance and
an OpenBSD Box with SNORT/SPADE and ipf is. Well, other than the price,
that is. By running SNORT/SPADE one is sufficiently able to detect DoS
patterns and inject rules into ipf."
I'm with you here. I too like to know the "toaster", so to speak. I
personally
don't posess the skills to create the above BSD box. I know, shame on me.
In my defense, I have a life....
Load testing is fine. The unit we have saturates around 300Mbits/sec. Captus
tells us
they have a new 64x66 backplane due-out any week here. I really like the
box, but I'd also
like to see a CSU/DSU connection so I could plant it at MCI or something to
prevent DoS traffic
from getting to my facilitiy.
TAFN.
J
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jonas Luster
Sent: Saturday, June 09, 2001 1:24 AM
To: [EMAIL PROTECTED]
Subject: Re: DDos Defenses
* J sez:
: Jonas and group:
:
: I encourage you to examine Captus Networks' solution. Their box stops DoS
: attacks (from passing their box to your network.) I/We've been testing it
: for about two weeks now. It really does what they say.
Well Captus has managed to put something in a 1U box, we have to give
'em that :). As an ex-Consultant and now Start-Up-Founder, I've always
been looking for disclosure. I can't legitimately recommend something to
a client by repeating the box' sellers sales pitch. Captus has so far
failed to explain to me, what the difference between their appliance and
an OpenBSD Box with SNORT/SPADE and ipf is. Well, other than the price,
that is. By running SNORT/SPADE one is sufficiently able to detect DoS
patterns and inject rules into ipf. Some smaller changes to ipf allow
for 'expiring' rules based on time and threshold supplied when setting
up the rule.
There's, of course, some problem in setting things up. Captus provides
quite a nice appliance in terms of maintenance and setup, the Captio-G
adds Gig-E, which is especially fine. On the other hand, a company like
Silicon Defense [1] could do the same, using OpenSource technology that'd
let you replicate the setup in minutes for the price of the hardware
(and that'd be 4 Quad-Ethernet cards, either GigeE or 100BaseT, some
faster machine and a 255M flash-Harddisk).
[1] Silicon Defense (www.silicondefense.com) are the guys who contribute
heavily to SNORT and are, amongst other things, the creators of SPADE.
They do provide pretty decent SNORT Consulting, I've been told. (I have
nothing to do with them, other than knowing what they do).
: Yes, if your upstream provider (say, Pac Bell) isnt' protecting you,
: your T1 can saturate, effectively DoS'ng you. The traffic will not
: traverse their box and make it to your network, however.
How's load testing doing? Does is actually work in 800k legitimate/200k
illegitimate traffic scenarios? How about the threat of being completely
locked down (DoSed :) if the attacker spoofes random source points
that are frequently used? Can I supply whitelists?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
