[unisog] IPS

Russell Fulton r.fulton at auckland.ac.nz
Wed Feb 9 19:01:04 GMT 2005


On Wed, 2005-02-09 at 11:10 -0700, Bauer, Steven J. wrote:
> Would the spoofed ips really be a problem depending on where the ips is
> deployed at?  Normally, the spoofed ip packets should be blocked by some
> router(s) that have an idea of what ip packets they should forward.
> Basically, the defense in depth method rather then depending on one
> device to do it all.

Umm... you can deal with spoofed packets from your own network but how
can any router under your control know that the source address is
spoofed?  It can't and nor can your IPS.

I agree with Gary that whether or not an IPS is vulnerable to DOS from
spoofing depends on how it behaves. If it blocks IP addresses based on
the receipt of SYN packets then you definitely have a problem. Likewise
if it blocks IPs on the receipt of any packet that has malicious
content.

If it keeps enough state to know that it has seen a full TCP session
with malicious content it is probably safe to block the IP although I
would prefer it to just drop the malicious content and perhaps reset the
session.

Russell.


-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050210/deae4f1f/smime-0002.bin


More information about the unisog mailing list