@@ -471,10 +471,11 @@ published in 1999, having started life as an IDS, and now owned by
471471Cisco. In its original incarnation, Snort provided a lightweight,
472472rule-based packet filtering and capture tool based on Berkeley Packet
473473Filters. The idea is that attacks, such as worms, have a recognizable
474- signature (a particular combination of header fields), and that the
475- IDS can be programmed with a rule to recognize the attack traffic, and
476- raise alerts when this happens. As an IPS, Snort now takes the
477- additional step of blocking the attack.
474+ signature—for example, a particular combination of header values or a
475+ unique byte-string embedded in the payload—and that the IDS can be
476+ programmed with a rule to recognize the attack traffic, and raise
477+ alerts when this happens. As an IPS, Snort now takes the additional
478+ step of blocking the attack.
478479
479480.. admonition :: Further Reading
480481
@@ -548,7 +549,7 @@ typically involve an adversary trying to overwhelm "good" resources
548549with traffic generated by "bad" resources (botnets constructed from a
549550distributed collection of compromised devices). Firewalls and other
550551security appliances help protect devices from being compromised in the
551- first place, but because they are not perfect (a human is usually the
552+ first place, but because they are not perfect (a human is often the
552553weakest link), we also need ways to mitigate the impact of
553554*Distributed DoS (DDoS) * attacks.
554555
@@ -569,26 +570,25 @@ widely-distributed servers. As long as the aggregate capacity of these
569570servers is greater than the aggregate capacity of the botnet—and the
570571CDN does a good job spreading requests across the available
571572servers—content remains available. This notion of *aggregate * capacity
572- generalizes beyond web servers responding to GET requests. A network
573- is itself a distributed collection of forwarding and transmission
574- resources, engineered to distribute those resources in a way that
575- avoids vulnerable bottlenecks.
573+ generalizes beyond web servers responding to HTTP GET requests. A
574+ network is itself a distributed collection of forwarding and
575+ transmission resources, engineered to distribute those resources in a
576+ way that avoids vulnerable bottlenecks.
576577
577578The second countermeasure is to filter malicious traffic as early
578- (close to the source) as possible. This is similar to what an IPS
579- would do, except the traffic often looks legitimate. If a DoS attack
580- comes from a single source, then it is easy to "block" traffic from
581- that source at an ingress to a network you control. This is why DoS
582- attacks are typically distributed. Dropping (or rate limiting) attack
583- packets at the boundary router (or firewall) for an enterprise is
584- better than allowing those packets to flood the local network and
585- reach a victim server(s), but the more widely distributed the periphery
586- of your network, the earlier you can filter malicious packets. And
587- drawing on the first countermeasure, the more widely distributed your
588- network resources are, the greater your aggregate filtering capacity.
589- Global overlay networks, as provided by companies like Cloudflare and
590- Fastly, offer a combination of content distribution and distributed
591- packet filtering. These are commercial products, with many
592- proprietary details, but the general principles outlined here explain
593- their underlying strategy.
579+ (close to the source) as possible. If a DoS attack comes from a single
580+ source, then it is easy to "block" traffic from that source at an
581+ ingress to a network you control. This is why DoS attacks are
582+ typically distributed. Dropping (or rate limiting) attack packets at
583+ the boundary router (or firewall) for an enterprise is better than
584+ allowing those packets to flood the local network and reach a victim
585+ server(s), but the more widely distributed the periphery of your
586+ network, the earlier you can filter malicious packets. And drawing on
587+ the first countermeasure, the more widely distributed your network
588+ resources are, the greater your aggregate filtering capacity. Global
589+ overlay networks, as provided by companies like Cloudflare and Fastly,
590+ offer a combination of content distribution and distributed packet
591+ filtering. These are commercial products, with many proprietary
592+ details, but the general principles outlined here explain their
593+ underlying strategy.
594594
0 commit comments