Domain: nss.co.uk
Stories and comments across the archive that link to nss.co.uk.
Comments · 8
-
There is a way...
There are several things you can do to minimize or mitigate a DDOS attack, the first and most obvious method would be to host your server from two seperate hosting providors preferably in different geographic locations LA and NYC or Dallas and Seattle for example, have both IP's in dns with the same A record and it will be round-robined by DNS, so each visitor should be balanced between the two servers.
Another cheap way is to deploy an inline IPS device which mitigates the attack in real-time. Some devices performance range drasticly with price.
There are even some free ones such as OpenBSD' Packet Filter, this can supply advanced syn-flood protection, connection tracking and general packet scrubbing all within a low cost solution but with the lack of support and learning curve and completeness, so YMMV. I have tested several commercial devices and so far I am most impressed with the http://www.ddos.com/ guy's box it thoroughly kicks ass for the price.
Anyways a couple of good sites to find more info on hardware, etc would be http://www.securityfocus.com/'s IDS mailinglist (yes all the IPS stuff goes here too) and also http://www.nss.co.uk/ who do alot of independent reviews of this kind of hardware. They charge for some of their reports but most of it can be found on their site for free.
DDOS is a toughy, the best way is to keep a low profile :) if thats not an option, then your going to have to dish out some bucks to protect yourself. The Internet is the new Wild Wild West, there is no such thing as diplomacy.
Good luck. -
review
Have a look at www.nss.co.uk. They do a pretty good review of gig NIDS. I think it costs like 50USD though.
-
A more balanced review
IMHO, the recent review performed by NSS reveals a more advanced understanding of IDS technology. They haven't evaluated quite as many NIDS in their review and instead have opted to include a few HIDS for good measure. -Gordo
-
Several commentsNOTE: I'm the author of Snort, so I may be opionated on this topic...
I just got in from a busy day and what do I find but a little Snort action on ole Slashdot...
So, I've got a few comments about the comments:
Snort signatures and the quality thereof. Anyone who complains about the quality of Snort signatures is a lazy bastard, they're open source and easy to modify, if you find that much wrong with them make the appropriate changes and mail them back to me or Brian Caswell, our own official Snort Rules Nazi. Just because we write Snort sigs doesn't mean you have to use them, the original concept behind Snort and the rules files that came with the distro was that the users could look at examples of how to write them and develop their own set for the site they were protecting. This has gotten way out of hand over the past three years and has blossomed into the approximately 1300 rules we have now. The quality isn't always the best, but we're working on it (and if you've been tracking them over the past 6 months they've gotten much better.
Performance. People from ISS talking about the superior performance of their solution is laughable, it's been shown repeatedly in third party IDS roundups that Snort performs on par with or better than almost all of the other commercially available NIDS solutions out there. In fact, I know of one large entertainment company that sank a decent chunk of money into hardware that's running Snort at OC-12 speeds on their network successfully with no packet loss at all. Moral of the story? IDS performance is tied directly to the configuration and horsepower of the sensor hardware. No big revelations there. The fact of the matter is that's Snort's capabilities and performance keep increasing as we continue to develop it. We're also about to revisit some major architectural components of the system as we begin development on Snort 2.0 this month, but that's a different topic...
Love Snort but need a commercial company to back it? Check out Sourcefire, a company that I founded this year precisely to do that. We are selling network IDS appliances complete with a web-based GUI, data analysis console, and full blown configuration management system built in. We're also working on a Management Console appliance that will allow you to deploy and manage a distributed Snort NIDS infrastructure and manage all the data that comes out of the system and perform multi-sensor correlation.
Rapid response. When the shit hits the fan on the Internet, Snort is usually the leader in getting out new sigs to the user community. Case in point, the W32/Voyager MS SQL worm that recently came out, we were the first with sigs to pick it up.
So in the end, Snort gives you speed and accuracy (in that I mean you can identify specific exploits very precisely), has an active development and user community and is flexible to meet users needs. I think that this is a really good combo for most people's needs. Now that Sourcefire is out there, I think that the needs of "pro" users can be satisfied as well as those of the open source world.
On the other hand I might be biased, as I did write the thing...
;)-Marty
-
Re:You pay for performance> If you can find me one NIDS review by a reputable 3rd party where
> they hooked up a NIDS to a SMARTBITS and reported the results I'll take it back.
Well for one, the review we are talking about, which you can download here, used a SmartBits (among other things) to generate background traffic during the performance tests. See pages 167 and 228 in the report.
-
Get the real report from NSS.
You can get the real IDS report from the NSS group at http://www.nss.co.uk. at no charge.
-
Re:Where's the proof?Find the report.
From a brief initial read, it seems to be a fair review. It requires more work than the commercial offerings but is more flexible. And for their tests, they got comparable performance to the commercial products. To give a brief quote:
Configured correctly, it also turns in a performance every bit the equal of (and often superior to) commercial products costing many thousands of pounds.
You are right however, the current links are mostly fluff.
-
Re:Um, details?
Go to Snort's website. Note article "One Pig to Rule Them All." Find link directing you to here. Fill in the required info and download 4MB pdf. It's going to take me awhile to digest the nearly 250 pages of this report.