OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Can someone explain this to me? (Was "network based IDS")
From: Teicher, Mark (mark.teicherNETWORKICE.COM)
Date: Thu Nov 30 2000 - 10:16:00 CST

Do you mean that an IDS vendor couldn't product a product that is capable
of Active Packet Scrubbing and dynamically applying firewall rules on the
fly to stop DDOS attacks.

In an active network, active packets may misuse active nodes, network
resources, and other active packets in various ways. Also, active nodes may
misuse active packets. Some of the possible problems that may occur are
the following:

Damage: An active packet can destroy or change the resources or services of
a node by reconfiguring, modifying, or erasing them from memory. A node may
erase an active packet before the completion of its job in the node.
Finally, active packets that share the same computational environment may
attack each other.

Denial of Service: An active packet may overload a resource or service due
to constantly consuming network connections or using a great portion of the
CPU cycles available. The node cannot function properly under these
circumstances and another active packet cannot be executed or forwarded.

Theft: An active packet may access and steal private information from a
node. On the other hand, an active packet is vulnerable toward the node at
any point when visiting it. Even if it is encrypted, it is not totally
safe because it usually has to be decrypted in order to execute.

Compound attack: The biggest actual threat for an active node is a compound
attack aimed toward a goal. For example, a malicious user may send many
active packets toward a central router and try to bring it down by
consuming all its bandwidth capacity.

Protecting the nodes and the packets in a flexible environment such as
active networks is not an easy task.
Some techniques that may be used to protect the active nodes and ways of
protecting the active packets.

Authentication of Active Packets: Any active packet should have
authenticating credentials produced using one of a number of algorithms
such as a public key signature algorithm. This do not guarantee that the
active packet will be harmless, or even useful. Credentials only provide
assurance that someone else vouches for the active packet.

Monitoring and Control: A reference monitor may be used to restrict the
information, system resources and services that active packets are allowed
to access and use. The reference monitor consults a security policy to
determine if access is to be granted. Since access-level monitoring places
restrictions directly on what a packet can do, it is an effective method.
However, the decision of granting permission for using some resources is
based upon some credentials which are not able to guarantee that a packet
is harmless as it is already mentioned.

Limitation Techniques: Time limits such as the amount of time an active
packet may be allowed to be executed, range limits such as the total number
of nodes the packet is allowed to traverse, as well as duplication limits
(i.e., the number of times that a packet may duplicate itself), are
essential in preventing an active packet from monopolizing the resources of
a node.

Proof Carrying Code is based on the observation that is often easier to
check an answer than to produce it. For a mobile program, it is the creator
of the program who knows the key reasons it is correct, not the host
(active node) that receives the program. Hence we could pair the mobile
program within each active packet with a proof of its correctness. The
active node may easily check the proof and then run the program. The
difficult part is the creation of the proof but this is the job of the
program creator.

At 07:07 PM 11/30/00 -0500, Joseph Nicholas Yarbrough wrote:
>On Thursday 30 November 2000 17:57, you wrote:
>
> > > Ok, I'd really like to know how an IDS is possibly going to be able to
> > protect against a DDoS, since the real problem is as much the volume of
> > traffic as the type of traffic. Obviously, by "DDoS," I am referring to
> > the expansive, all-out mob-style attacks that made the term famous, not a
> > set of 5 dial-up users who have been compromised. Even if the IDS can
> > create rules on the fly in your firewall while brewing you a perfect cup of
> > macchiato and taking your pet iguana for a walk, how can it possibly do any
> > good when your link is saturated out past the border of your own network?
> >
> > > The CaptIo can create rules "on the fly" to protect against DDOS attacks
> >
> > in less than 3 seconds.
>
>It could create firewall rules to drop the packets at the kernel level to
>avoid as much resource utilization as posible. That is about the only way I
>could see it "protecting" you from DDoS. If the DDoS is a flood meant to
>choke your bandwidth, not much could be done for this. (Without snmp access
>to the ACLs on your upstream router) However, if they are trying to lockup
>the machine by opening many connects to TCP/80 from many hosts, it could
>protect you by droping the packets before Apache/IIS/Whatever spawns a copy
>for that host. IMHO, this is usefull technology.
>
>Joseph Nicholas Yarbrough
>Information Security Analyst
>LURHQ Corporation
>==========================>
>843-347-1075 ext. 312
>nyarbroughlurhq.com