[iwar] [fc:Reverse.firewall.dams.DoS.flood]

From: Fred Cohen (fc@all.net)
Date: 2001-11-06 19:02:53


Return-Path: <sentto-279987-3798-1005102169-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 06 Nov 2001 19:13:06 -0800 (PST)
Received: (qmail 29870 invoked by uid 510); 7 Nov 2001 03:11:32 -0000
Received: from n25.groups.yahoo.com (216.115.96.75) by 204.181.12.215 with SMTP; 7 Nov 2001 03:11:32 -0000
X-eGroups-Return: sentto-279987-3798-1005102169-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.1.221] by n25.groups.yahoo.com with NNFMP; 07 Nov 2001 03:02:34 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 7 Nov 2001 03:02:48 -0000
Received: (qmail 90123 invoked from network); 7 Nov 2001 03:02:48 -0000
Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 7 Nov 2001 03:02:48 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 7 Nov 2001 03:02:48 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA732rr29507 for iwar@onelist.com; Tue, 6 Nov 2001 19:02:53 -0800
Message-Id: <200111070302.fA732rr29507@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 6 Nov 2001 19:02:53 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Reverse.firewall.dams.DoS.flood]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Reverse firewall dams DoS flood 
By James Middleton, VNU Net, 11/6/2001 http://www.vnunet.com/News/1126617

In a bid to fight the growing menace from computer and router-based
denial of service (DoS) attacks, security firm have developed a
technique to dam the DoS data flood at source.  Using funding from the
Defence Advanced Research Projects Agency (DARPA), security technology
firm Cs3 is looking a the concept of reverse firewalling, or keeping the
flood of data from a DoS attack dammed up at the source.  The Reverse
Firewall works by filtering the outgoing packets from a network. The
difference between a legitimate application that uses high bandwidth and
a packet flooding attack is that, in the former case, the machine at the
other end of the conversation is participating in a two-way
conversation. In the case of a DoS attack, the exchange is one sided. As research 
suggests that most distributed denial of service attacks
(DdoS) attacks are carried out using zombie machines, high-bandwidth
infrastructure is a favourite target. This puts enterprises,
universities and ISPs at the top of a hacker's list.  "With near
universal availability of permanent and faster connections to the
internet, and the attendant decrease of network security expertise per
individual computer, there is no scarcity of potential zombies," said
Cs3.  But reverse firewalling effectively reduces the value of these
machines in such an attack to the equivalent of a slow dial up
connection, or even less. "What we call a Reverse Firewall is,
therefore, simply one part of the functionality that could and should be
provided by firewalls," said the company. A firewall is in a position to
distinguish these two cases, since all of the traffic between the local
network and the outside passes through it.  The technology limits the
rate at which the firewall forwards packets that are not replies to
other packets that recently were forwarded in the other direction.
Packets that are not replies, for instance to start a new conversation,
simply need not be transmitted at a high rate.  And while the technology
could help potential victims outside of an compromised network, the
users of that network will still be suffering from loss of bandwidth
gobbled up in the attack. However, reverse firewalls could be deployed
internally, between network segments for example, to turn the potential
flood into nothing more than a trickle.

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST