March 27th, 2003, 02:44 PM
Riverhead Networks DDoS Prevention
I am intrigued by the marketing hype about this product. Has anyone used this or anything like it? Can you tell me how it does what it does or whether this is a viable security product?
Utilizing patent–pending algorithms and technologies, the Riverhead solutions — the Riverhead Detector and the Riverhead Guard — deliver the industry's most complete, most accurate, and most effective DDoS detection and mitigation services, significantly reducing the duration and impact of DDoS attacks. Based on a unique Multi–Verification Process (MVP) architecture, the Riverhead solutions employ the principles of detection, diversion, and integrated verification and enforcement to protect against all types of known, new and even previously unseen DDoS attacks.
Too often products don't quite live up to the description supplied by the vendor's PR team. I like to get real-world feedback from other real-world admins who have used the product.
March 27th, 2003, 04:13 PM
I guess that product is a kind of IDS based on heuristics algorythm!
It statically analyze the incoming trafic in a statistic view and when the amount of certain type of trafic is greater than a specified threshold an alarm shows up.
This techno is not mature because it relies on traffic predictibility.
from CISCO @ http://www.cisco.com/warp/public/cc/...t/idssa_wp.htm
Heuristic-based signatures use some type of algorithmic logic on which to base their alarm decisions. These algorithms are often statistical evaluations of the type of traffic being presented. A good example of this type of signature is a signature that would be used to detect a port sweep. This signature looks for the presence of a threshold number of unique ports being touched on a particular machine. The signature may further restrict itself through the specification of the types of packets that it is interested in (that is, SYN packets). Additionally, there may be a requirement that all the probes must originate from a single source. Signatures of this type require some threshold manipulations to make them conform to the utilization patterns on the network they are monitoring. This type of signature may be used to look for very complex relationships as well as the simple statistical example given.
Some types of suspicious/malicious activity cannot be detected through any other means.
Algorithms may require tuning or modification in order to better conform to network traffic and limit false positives.
[shadow] SHARING KNOWLEDGE[/shadow]
March 27th, 2003, 04:36 PM
I think it's a bit of snake oil.........
A DDoS attack is going to do one of two things, eat your bandwidth or clog your server.
In the case of eating the bandwidth there is nothing you can do short of getting ISP's along the way to block the zombies sending to your pipe thus this system would not assist since it is only dropping packets it believes are malicious after they have already blocked bandwidth.
In the second case it will function up to a point. That point would be determined by the number of zombies, the server capacity and the available bandwidth. There will come a point where an overwhelming number of zombies would still "win" since the first packet sent by each zombie, (assuming no IP spoofing is going on), _has_ to be determined as legitimate traffic. If IP spoofing is being done by the zombie then _every_ packet, (assuming the zombie randomizes as opposed to selecting netblocks and sequentially running through them), _has_ to be assumed to be legitimate.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides