Any CVE or IPS signature for DDoS ?

Q1:
Is DDoS detectable only by monitoring bandwidth surge?
Any other way to detect it?  Can IPS/IDS detect it?

Q2:
Which device do people usually monitor?
 packetshaper (or F5) or router/switch bandwidth ?

Q3:
Is there any CVE# or IPS signature for DDoS ?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
There are many type of DDOSing a popular one is using NNTP responses. Unfortunately it is a simple script kiddie attack
http://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

Monitor NTP traffic; if there are volume spikes on port 123 UDP, then you may be under such an attack;
Prevent IP spoofing – Make sure that the IP of your internet facing assets cannot be spoofed by implementing security measures such as BCP 38;
Close UDP 123 on your internet facing assets, if time synchronization is not required via NTP. Use a network scanner to identify assets on which port 123 UDP is open.
0
btanExec ConsultantCommented:
Q1: DDoS has volumetric, resource and application type. Meaning it is not just surge of traffic volume but it can be server suffering from undue memory or CPU etc exhaustion or starvation e.g. this can includes at application level with slow traffic building up HTTP connection in wait state and piling up (at RAM resource pooling or SQL benchmarking calculation chunking up CPU usage %). The attack varies from L3/4 up to L7. See the various UDP DDoS type and their amplification factor (impact)
https://www.us-cert.gov/ncas/alerts/TA14-017A

You cannot simply just rely on monitoring bandwidth surge as the use case above, the server resource is not a network monitor but required endpoint system monitoring too. This can include the typical SNMP trap to monitor status etc.

As for IPS/IDS to detect, it can if signature of application based detect the attempt like Slow POST, Apache Range Killer or HTTP Flood using LOIC or HOIC tool known to be used by hacker group and there are "signature" crafted for those. E.g F5 ADC can even have iRule for such behaviour detection Also check out the various DDoS type in this F5 sharing

Q2: All of the ICT system can be DoS and the availability can be affected, just see which need HA and you likely know the critical asset. Even FW and IDS/IPS can be DoS. The actual concerns is those termed as point of failure and the critical backend servers especially those exposed in the public or external network. They should have priority. internal DoS can happened to chunk up lateral and vertical traffic flow such as the Core, and Access level.

The other for system monitoring for the whole of data center and infra setup applies too which is the latency and throughput to make sure service is acceptable. Cases of unavailability or slow traffic can pertain to incident depending on the site SLA level.

Also site to site are point to be wary as it may indirectly caused machine to machine job task sudden stoppage and denial if either end malfunction etc

Overall, look into nw segment and segregation to better grasp a collective assessment where is likely point to monitor and isolate in event of incident
http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Q3: If you look at cvedetails and NIST NVD there are the DoS type. If CVE is available, it does not necessary means the IDS/FW has that signature. It depends on the provider. some may even go into customisation in view of severity like saga of ShellShock etc..
http://www.cvedetails.com/vulnerability-list/opdos-1/denial-of-service.html
http://web.nvd.nist.gov/view/vuln/search-results?query=ddos&search_type=all&cves=on
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Can we say that DDoS manifests in 'high bandwidth' while DoS may not
necessarily be so?
0
David Johnson, CD, MVPOwnerCommented:
Since DOS stands for Denial of Service and DDOS is distributed Denial of Service either way if it is from 1 or 1000 endpoints the result is the same it overflows your input points your IPS may be busy dropping packets until it gets overloaded for this reason I use a service called Cloudflare to mitigate against DDOS/DOS attacks.
0
btanExec ConsultantCommented:
It tends to be the case as layman understand hence the "distributed" word prepended to DoS. Some diff from the provider as instance and info http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html or even this faq http://www.security-faqs.com/dos-vs-ddos-what-is-the-difference.html

DDoS required amplification and really bot to launch that and typically it can come from global, not necessarily in same country or few machine unlike DoS. Effective DDoS mitigation also need to take into account the aspect of layer defence measures with ISP, CDN provider prior to reaching your Enterprise asset which has on premise DoS measure s but it is unlikely the site can handle more than 100Gbps attack...

However recent attack has also proven that reflection type of DoS can be trigger to using small controlled asset to amplified the effect, you should catch the link from CERT that I posted for info.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.