Solved

Any CVE or IPS signature for DDoS ?

Posted on 2014-11-04
5
290 Views
Last Modified: 2014-11-16
Q1:
Is DDoS detectable only by monitoring bandwidth surge?
Any other way to detect it?  Can IPS/IDS detect it?

Q2:
Which device do people usually monitor?
 packetshaper (or F5) or router/switch bandwidth ?

Q3:
Is there any CVE# or IPS signature for DDoS ?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423196
There are many type of DDOSing a popular one is using NNTP responses. Unfortunately it is a simple script kiddie attack
http://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

Monitor NTP traffic; if there are volume spikes on port 123 UDP, then you may be under such an attack;
Prevent IP spoofing – Make sure that the IP of your internet facing assets cannot be spoofed by implementing security measures such as BCP 38;
Close UDP 123 on your internet facing assets, if time synchronization is not required via NTP. Use a network scanner to identify assets on which port 123 UDP is open.
0
 
LVL 63

Accepted Solution

by:
btan earned 380 total points
ID: 40423264
Q1: DDoS has volumetric, resource and application type. Meaning it is not just surge of traffic volume but it can be server suffering from undue memory or CPU etc exhaustion or starvation e.g. this can includes at application level with slow traffic building up HTTP connection in wait state and piling up (at RAM resource pooling or SQL benchmarking calculation chunking up CPU usage %). The attack varies from L3/4 up to L7. See the various UDP DDoS type and their amplification factor (impact)
https://www.us-cert.gov/ncas/alerts/TA14-017A

You cannot simply just rely on monitoring bandwidth surge as the use case above, the server resource is not a network monitor but required endpoint system monitoring too. This can include the typical SNMP trap to monitor status etc.

As for IPS/IDS to detect, it can if signature of application based detect the attempt like Slow POST, Apache Range Killer or HTTP Flood using LOIC or HOIC tool known to be used by hacker group and there are "signature" crafted for those. E.g F5 ADC can even have iRule for such behaviour detection Also check out the various DDoS type in this F5 sharing

Q2: All of the ICT system can be DoS and the availability can be affected, just see which need HA and you likely know the critical asset. Even FW and IDS/IPS can be DoS. The actual concerns is those termed as point of failure and the critical backend servers especially those exposed in the public or external network. They should have priority. internal DoS can happened to chunk up lateral and vertical traffic flow such as the Core, and Access level.

The other for system monitoring for the whole of data center and infra setup applies too which is the latency and throughput to make sure service is acceptable. Cases of unavailability or slow traffic can pertain to incident depending on the site SLA level.

Also site to site are point to be wary as it may indirectly caused machine to machine job task sudden stoppage and denial if either end malfunction etc

Overall, look into nw segment and segregation to better grasp a collective assessment where is likely point to monitor and isolate in event of incident
http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Q3: If you look at cvedetails and NIST NVD there are the DoS type. If CVE is available, it does not necessary means the IDS/FW has that signature. It depends on the provider. some may even go into customisation in view of severity like saga of ShellShock etc..
http://www.cvedetails.com/vulnerability-list/opdos-1/denial-of-service.html
http://web.nvd.nist.gov/view/vuln/search-results?query=ddos&search_type=all&cves=on
0
 

Author Comment

by:sunhux
ID: 40423366
Can we say that DDoS manifests in 'high bandwidth' while DoS may not
necessarily be so?
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423387
Since DOS stands for Denial of Service and DDOS is distributed Denial of Service either way if it is from 1 or 1000 endpoints the result is the same it overflows your input points your IPS may be busy dropping packets until it gets overloaded for this reason I use a service called Cloudflare to mitigate against DDOS/DOS attacks.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 380 total points
ID: 40423715
It tends to be the case as layman understand hence the "distributed" word prepended to DoS. Some diff from the provider as instance and info http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html or even this faq http://www.security-faqs.com/dos-vs-ddos-what-is-the-difference.html

DDoS required amplification and really bot to launch that and typically it can come from global, not necessarily in same country or few machine unlike DoS. Effective DDoS mitigation also need to take into account the aspect of layer defence measures with ISP, CDN provider prior to reaching your Enterprise asset which has on premise DoS measure s but it is unlikely the site can handle more than 100Gbps attack...

However recent attack has also proven that reflection type of DoS can be trigger to using small controlled asset to amplified the effect, you should catch the link from CERT that I posted for info.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WAN Link comparsion 3 36
Need a modeling tool 2 43
Verifying if VA scan's vulnerabilities are false positives 3 61
Advice on using wifi connection in Hotel with our iPhone 18 83
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question