Figure 716 DoS Resulting from NIDS Shunning

[View full size image]

2. ALlack UeltLlfJ. Source a0di«$S 19£ 0 2.160. Actis«: Heek ai lifOwaH.

PliCliC

ManagflfiMnt Jf^— Traffic

Add JICl oillry denying traffic aoyfiç«i fr-om IP ISS Û.M5M32

Internal

pi'i

1. Laurcti attack Bount

saiprcc IP c' ntlatdts-:

Attacher

f92.02.63

4 All Subiettuert VâHii Ii:j"n Hii'j ^jrtmy i» tkjehud. polsnbajly Reeling iiuncTfetfs ol use's

InianraL

4 All Subiettuert VâHii Ii:j"n Hii'j ^jrtmy i» tkjehud. polsnbajly Reeling iiuncTfetfs ol use's

InianraL

PuU-iC Servers

PuU-iC Servers

ISP Customers

• For very fast attacks, by the time the filter is put in place, the damage might have already been done.

There are several strategies to minimize these concerns.

Tune your IDS and put it close to the systems you are trying to protect (see the previous section for more details).

Only shun high-impact attacks with a low chance of being a false positive. Which signatures these will be depends on your environment. By completing the tuning process, you should have a good idea of these events.

• Only shun attacks that are difficult to spoof. This generally means TCP attacks that require a session to be established before the attack is executed. A TCP SYN flood would be an example of an attack you would not want to shun. User Datagram Protocol (UDP) attacks are generally easier to spoof, so in most cases they should not be shunned.

• Set the shun length very short (510 minutes). This gives the IDS administrator some time to react. The attack happened, the NIDS system blocked the IP address, now the administrator must examine the activity and decide whether to implement permanent blocking or turn off the shun. This unfortunately requires 24*7 monitoring of your NIDS system, as discussed in the previous section.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment