Solved

Any CVE or IPS signature for DDoS ?

Posted on 2014-11-04
5
283 Views
Last Modified: 2014-11-16
Q1:
Is DDoS detectable only by monitoring bandwidth surge?
Any other way to detect it?  Can IPS/IDS detect it?

Q2:
Which device do people usually monitor?
 packetshaper (or F5) or router/switch bandwidth ?

Q3:
Is there any CVE# or IPS signature for DDoS ?
0
Comment
Question by:sunhux
  • 2
  • 2
5 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423196
There are many type of DDOSing a popular one is using NNTP responses. Unfortunately it is a simple script kiddie attack
http://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

Monitor NTP traffic; if there are volume spikes on port 123 UDP, then you may be under such an attack;
Prevent IP spoofing – Make sure that the IP of your internet facing assets cannot be spoofed by implementing security measures such as BCP 38;
Close UDP 123 on your internet facing assets, if time synchronization is not required via NTP. Use a network scanner to identify assets on which port 123 UDP is open.
0
 
LVL 61

Accepted Solution

by:
btan earned 380 total points
ID: 40423264
Q1: DDoS has volumetric, resource and application type. Meaning it is not just surge of traffic volume but it can be server suffering from undue memory or CPU etc exhaustion or starvation e.g. this can includes at application level with slow traffic building up HTTP connection in wait state and piling up (at RAM resource pooling or SQL benchmarking calculation chunking up CPU usage %). The attack varies from L3/4 up to L7. See the various UDP DDoS type and their amplification factor (impact)
https://www.us-cert.gov/ncas/alerts/TA14-017A

You cannot simply just rely on monitoring bandwidth surge as the use case above, the server resource is not a network monitor but required endpoint system monitoring too. This can include the typical SNMP trap to monitor status etc.

As for IPS/IDS to detect, it can if signature of application based detect the attempt like Slow POST, Apache Range Killer or HTTP Flood using LOIC or HOIC tool known to be used by hacker group and there are "signature" crafted for those. E.g F5 ADC can even have iRule for such behaviour detection Also check out the various DDoS type in this F5 sharing

Q2: All of the ICT system can be DoS and the availability can be affected, just see which need HA and you likely know the critical asset. Even FW and IDS/IPS can be DoS. The actual concerns is those termed as point of failure and the critical backend servers especially those exposed in the public or external network. They should have priority. internal DoS can happened to chunk up lateral and vertical traffic flow such as the Core, and Access level.

The other for system monitoring for the whole of data center and infra setup applies too which is the latency and throughput to make sure service is acceptable. Cases of unavailability or slow traffic can pertain to incident depending on the site SLA level.

Also site to site are point to be wary as it may indirectly caused machine to machine job task sudden stoppage and denial if either end malfunction etc

Overall, look into nw segment and segregation to better grasp a collective assessment where is likely point to monitor and isolate in event of incident
http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Q3: If you look at cvedetails and NIST NVD there are the DoS type. If CVE is available, it does not necessary means the IDS/FW has that signature. It depends on the provider. some may even go into customisation in view of severity like saga of ShellShock etc..
http://www.cvedetails.com/vulnerability-list/opdos-1/denial-of-service.html
http://web.nvd.nist.gov/view/vuln/search-results?query=ddos&search_type=all&cves=on
0
 

Author Comment

by:sunhux
ID: 40423366
Can we say that DDoS manifests in 'high bandwidth' while DoS may not
necessarily be so?
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 120 total points
ID: 40423387
Since DOS stands for Denial of Service and DDOS is distributed Denial of Service either way if it is from 1 or 1000 endpoints the result is the same it overflows your input points your IPS may be busy dropping packets until it gets overloaded for this reason I use a service called Cloudflare to mitigate against DDOS/DOS attacks.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 380 total points
ID: 40423715
It tends to be the case as layman understand hence the "distributed" word prepended to DoS. Some diff from the provider as instance and info http://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html or even this faq http://www.security-faqs.com/dos-vs-ddos-what-is-the-difference.html

DDoS required amplification and really bot to launch that and typically it can come from global, not necessarily in same country or few machine unlike DoS. Effective DDoS mitigation also need to take into account the aspect of layer defence measures with ISP, CDN provider prior to reaching your Enterprise asset which has on premise DoS measure s but it is unlikely the site can handle more than 100Gbps attack...

However recent attack has also proven that reflection type of DoS can be trigger to using small controlled asset to amplified the effect, you should catch the link from CERT that I posted for info.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now