ThreatSTOP Blog

The DOS Attack Revisited

Written by francisturner | May 24, 2010

Recently there have been a number of news stories discussing a recent rise of the Denial of Service attacks and noting that the compromised computers used to effect the attacks seem to be servers rather than PCs as was usually the case in the past few years.

The advantage of using a server is that it typically has a much greater pipe and much greater capacity to generate attacks. However, unless the server is so completely infected that the cybercriminals have managed to install a packet generator on it, the attacks will use standard TCP/IP sessions to make the attacks.

This is the sort of attack that firewalls should be able to block very well-- as, once they know to block traffic to/from that IP address, they can block even the initial TCP SYN. In terms of server processing and network bandwidth, this is a huge win.

Now an IDS can use a tool like SnortSAM to detect an attack and add the IP address to the block tool, but this is not an instantaneous act. If enough traffic is sent from enough IP addresses simultaneously, then the IDS may itself become overwhelmed and unable to provide the commands to the firewall. And, of course once an IP address is blocked from one attack it may simply move on to attack another site which will then have to have its IDS triggered.

ThreatSTOP is a way to leverage the fact that the same IP addresses will be used in many attacks. ThreatSTOP subscribers share attack data, so once an IP address is blocked by one subscriber, it will be blocked by all the others. This cooperative data sharing means that the attackers are far, far less effective because each address is only effective once.

Furthermore, ThreatSTOP is now fully compatible with SnortSAM, thus any organization that uses SnortSAM to get its IDS to provide data to its firewall can now, essentially, also get the IDS of every other ThreatSTOP subscriber, as well as and many security research groups to provide data to its firewall.