Solved

Any CVE or IPS signature for DDoS ?

Posted on 2014-11-04
5
292 Views
Last Modified: 2014-11-16
Q1:
Is DDoS detectable only by monitoring bandwidth surge?
Any other way to detect it?  Can IPS/IDS detect it?

Q2:
Which device do people usually monitor?
 packetshaper (or F5) or router/switch bandwidth ?

Q3:
Is there any CVE# or IPS signature for DDoS ?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423196
There are many type of DDOSing a popular one is using NNTP responses. Unfortunately it is a simple script kiddie attack
http://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

Monitor NTP traffic; if there are volume spikes on port 123 UDP, then you may be under such an attack;
Prevent IP spoofing – Make sure that the IP of your internet facing assets cannot be spoofed by implementing security measures such as BCP 38;
Close UDP 123 on your internet facing assets, if time synchronization is not required via NTP. Use a network scanner to identify assets on which port 123 UDP is open.
0
 
LVL 64

Accepted Solution

by:
btan earned 380 total points
ID: 40423264
Q1: DDoS has volumetric, resource and application type. Meaning it is not just surge of traffic volume but it can be server suffering from undue memory or CPU etc exhaustion or starvation e.g. this can includes at application level with slow traffic building up HTTP connection in wait state and piling up (at RAM resource pooling or SQL benchmarking calculation chunking up CPU usage %). The attack varies from L3/4 up to L7. See the various UDP DDoS type and their amplification factor (impact)
https://www.us-cert.gov/ncas/alerts/TA14-017A

You cannot simply just rely on monitoring bandwidth surge as the use case above, the server resource is not a network monitor but required endpoint system monitoring too. This can include the typical SNMP trap to monitor status etc.

As for IPS/IDS to detect, it can if signature of application based detect the attempt like Slow POST, Apache Range Killer or HTTP Flood using LOIC or HOIC tool known to be used by hacker group and there are "signature" crafted for those. E.g F5 ADC can even have iRule for such behaviour detection Also check out the various DDoS type in this F5 sharing

Q2: All of the ICT system can be DoS and the availability can be affected, just see which need HA and you likely know the critical asset. Even FW and IDS/IPS can be DoS. The actual concerns is those termed as point of failure and the critical backend servers especially those exposed in the public or external network. They should have priority. internal DoS can happened to chunk up lateral and vertical traffic flow such as the Core, and Access level.

The other for system monitoring for the whole of data center and infra setup applies too which is the latency and throughput to make sure service is acceptable. Cases of unavailability or slow traffic can pertain to incident depending on the site SLA level.

Also site to site are point to be wary as it may indirectly caused machine to machine job task sudden stoppage and denial if either end malfunction etc

Overall, look into nw segment and segregation to better grasp a collective assessment where is likely point to monitor and isolate in event of incident
http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Q3: If you look at cvedetails and NIST NVD there are the DoS type. If CVE is available, it does not necessary means the IDS/FW has that signature. It depends on the provider. some may even go into customisation in view of severity like saga of ShellShock etc..
http://www.cvedetails.com/vulnerability-list/opdos-1/denial-of-service.html
http://web.nvd.nist.gov/view/vuln/search-results?query=ddos&search_type=all&cves=on
0
 

Author Comment

by:sunhux
ID: 40423366
Can we say that DDoS manifests in 'high bandwidth' while DoS may not
necessarily be so?
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423387
Since DOS stands for Denial of Service and DDOS is distributed Denial of Service either way if it is from 1 or 1000 endpoints the result is the same it overflows your input points your IPS may be busy dropping packets until it gets overloaded for this reason I use a service called Cloudflare to mitigate against DDOS/DOS attacks.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 380 total points
ID: 40423715
It tends to be the case as layman understand hence the "distributed" word prepended to DoS. Some diff from the provider as instance and info http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html or even this faq http://www.security-faqs.com/dos-vs-ddos-what-is-the-difference.html

DDoS required amplification and really bot to launch that and typically it can come from global, not necessarily in same country or few machine unlike DoS. Effective DDoS mitigation also need to take into account the aspect of layer defence measures with ISP, CDN provider prior to reaching your Enterprise asset which has on premise DoS measure s but it is unlikely the site can handle more than 100Gbps attack...

However recent attack has also proven that reflection type of DoS can be trigger to using small controlled asset to amplified the effect, you should catch the link from CERT that I posted for info.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question