IPS and DDOS protection

carl_townshend · ‎11-27-2013

Hi all

I have been reading some info on ips and ddos

I believe that IPS cannot really deal with DDOS attack as they only look at traffic from one source etc.

can anyone tell me if IPS can prevent ddos? or should you be looking at something else ?

cheers

rhermes · ‎11-27-2013

Cisco IPS sensors can provide limited DDoS protection under a small set of circumstances (all three must be satisfied):

1. The DDoS attack has a signature.

2. The signature correctly triggers (you'll never know what string the signature triggers on, because Cisco keeps that information secret, unlike some other vendors like SourceFire).

3. The DDoS attack is not volumetric (most DDoS attacks relay on a greater volume of traffic overwhelming your access capacity) It doesn't matter how well an IPS sensor can detect and block traffic if your access pipe is full.

- Bob

johflore · ‎12-20-2013

Here is signature refers to DDoS 1493/0 :

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1493&signatureSubId=0&softwareVersion=6.0&releaseVersion=S672

Interesting information about DDoS from SIO (Cisco Security Intelligence Operations ) perspective:

http://blogs.cisco.com/security/csro-perspective-on-financial-DDoS-attacks/

http://www.cisco.com/web/about/security/intelligence/ERP-financial-DDoS.html

Jhn