OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pete Herzog (lists_at_isecom.org)
Date: Thu Feb 06 2003 - 08:54:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Chris,

    Not just poorly implemented IDS but spoofed packets as well. How does an
    active IDS differentiate and if it can't is it possible to do the old
    CHARGEN - ECHO trick using the IDS of different companies to start sending
    RST packets at ever increasing rates against each other? If the IDS would
    even respond to RST floods (would be stupid I suppose)....

    I have tested networks with Active IDS and the only problem I found was when
    the IDS actually blocked my I at the router. The tester then has to ensure
    that the IDS has been told who to cut off and who not to and for how long.
    Otherwise, it's too easy to spoof packets and DoS for legitimate traffic and
    providers. The question then becomes is the service more or less valuable
    than the security of that service?

    Active IDS just does not work with Usability in my opinion. Too many things
    can and do go wrong which will make legitimate users and the service offered
    to them to be inconvenienced.

    Sincerely,
    -pete.
    www.isecom.org

    -----Original Message-----
    From: Chris Travers [mailto:christravelamericas.com]
    Sent: Wednesday, February 05, 2003 8:16 AM
    To: Thomas H. Ptacek
    Cc: Focus-IDS
    Subject: Re: Active response... some thoughts.

    Thomas;

    I was also thinking about a liability from a poorly implimented system
    being able to be used to DOS an address by spoofing packets from that
    address.

    I guess I come back to advocating passive solutions primarily.

    Best Wishes,
    Chris Travers

    Thomas H. Ptacek wrote:

    >On 1/31/03 1:22 PM, "Chris Travers" <christravelamericas.com> wrote:
    >
    >
    >
    >>An IDS could have hooks into a routers filtering tables in order to
    >>temporarily ban that IP address. This has the advantage of the RST in
    >>that all inbound traffic from the attacker would be stopped, but would
    >>
    >>
    >
    >ACL countermeasures are generally avoided because it is hard to make them
    >fail safely. It is not easy to push soft-state ACLs to Cisco and Juniper
    >routers; the risk that the IDS could get desynchronized from the filter is
    >large.
    >
    >
    >
    >
    >
    >