@@ -450,9 +450,10 @@ published in 1999, having started life as an IDS, and now owned by
450450Cisco. In its original incarnation, Snort provided a lightweight,
451451rule-based packet filtering and capture tool based on Berkeley Packet
452452Filters. The idea is that attacks, such as worms, have a recognizable
453- signature, and that the IDS can be programmed with a rule to recognize
454- the attack traffic, and raise alerts when this happens. As an IPS,
455- Snort now takes the additional step of blocking the attack.
453+ signature (a particular combination of header fields), and that the
454+ IDS can be programmed with a rule to recognize the attack traffic, and
455+ raise alerts when this happens. As an IPS, Snort now takes the
456+ additional step of blocking the attack.
456457
457458.. admonition :: Further Reading
458459
@@ -490,7 +491,7 @@ above for an example set of community rules.)
490491 trigger a cease-and-desist letter. In other situations,
491492 administrators want to ensure that a human (and not an automated
492493 crawler) is sending requests to their websites. There are "opt-out"
493- conventions (e.g., adding a `` robots.txt`` file), but they depend on
494+ conventions (e.g., adding a robots.txt file), but they depend on
494495 the good will of other actors. Some website administrators are now
495496 using Anubis, an open source web application firewall, to ensure that
496497 a human, and not an AI bot
@@ -544,12 +545,13 @@ flash crowds of legitimate traffic: a *Content Distribution Network
544545(CDN). * The idea is to replicate content (whether it's a movie or a
545546critical piece of infrastructure metadata) across many
546547widely-distributed servers. As long as the aggregate capacity of these
547- servers is greater than the aggregate capacity of the botnet, content
548- remains available. This notion of *aggregate * capacity generalizes
549- beyond web servers responding to GET requests. A network is itself a
550- distributed collection of forwarding and transmission resources,
551- engineered to distribute those resources in a way that avoids
552- vulnerable bottlenecks.
548+ servers is greater than the aggregate capacity of the botnet—and the
549+ CDN does a good job spreading requests across the available
550+ servers—content remains available. This notion of *aggregate * capacity
551+ generalizes beyond web servers responding to GET requests. A network
552+ is itself a distributed collection of forwarding and transmission
553+ resources, engineered to distribute those resources in a way that
554+ avoids vulnerable bottlenecks.
553555
554556The second countermeasure is to filter malicious traffic as early
555557(close to the source) as possible. This is similar to what an IPS
0 commit comments