> Exactly. All choke points have their limit. > If you have a 100 megabit uplink to the Internet and a distributed > attacker > is able to source 110mbps of spoofed DoS traffic, that doesn't mean your > firewall is "vulnerable" to a pure noise DoS flood.
I don't believe it is possible to reach 110 Mbps in a 100 Mbps uplink, so we still don't have DoS. This kind of DoS, which makes your uplink reach the maximum throughput possible, is not protected by IPS and/or Firewall devices. It should be addressed by another strategy. > But a well-designed Firewall shouldn't fall over under a sustained DoS, > should have a well-implemented state engine, synproxy, and RED, > such that under most types of DoS traffic, legitimate sessions still > have a chance to get through. I didn't say that, I said you should be sure you have the appropriate Firewall to owkr in your environment, so be sure you have a 100 Mbps Firewall to handle 100 Mbps link instead of trying for a miracle with a 10 Mbps in a 100 Mbps link. It sounds like a VW Beatle racing against a Ferrari in F1 GP. Nelson Brito ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
