[unisog] IPS

Wes Young wcyoung at buffalo.edu
Wed Feb 9 16:30:12 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

but what about the IPS's that only block the bad traffic, in theory,
shouldnt an ips only block those packets that are spoofed, and not the
one's that (it detects) are real? My understanding of most IPS's is that
they only block stuff originating from the host (virii propegation etc)
that is bad while still allowing hosts to continues on with their normal
day to day buisiness.... If it detects a spoofed IP it should drop it...
but if reg traffic is mixed in there, it should only drop the spoofs???
right?

Dave Ellingsberg wrote:
| you miss my point I believe.  You do business with a bank.  say ip is
| 8.8.8.xx   I spoof packets that are blocked by your IPS from host
| addresses in the 8.8.8.0/24 block.  your ips detects these as an attack
| and blocks ips from that block.  Now you and your bank are having
| troubles connecting and your business is disrupted.
|
| this is my worry with IPS systems.
|
| bigfoot.
|
|
|>>>david.escalante at bc.edu 2/8/2005 3:43:56 PM >>>
|
| Dave Ellingsberg wrote:
|
|
|>One item not discussed is possible DoS against major customers of
|
| your
|
|>institutions.  If addresses are spoofed in an attack against your
|>institution with addresses of your major users does this cause an
|>interruption of service to your major customers.  Has anyone
|
| experienced
|
|>this sort of attack against an IPS service?
|>
|
| Network IPS devices don't all handle DoS and DDoS the same, or even
| very
| well in some cases.  If this is a specific issue with you, you should
| discuss it in detail with your contemplated vendors.  IMHO, in general
|
| the Top Layer folks have devoted the most time and attention to this
| particular issue.
| --
| David Escalante
| Boston College
| _______________________________________________
| unisog mailing list
| unisog at lists.sans.org
| http://www.dshield.org/mailman/listinfo/unisog
| _______________________________________________
| unisog mailing list
| unisog at lists.sans.org
| http://www.dshield.org/mailman/listinfo/unisog
|
|

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCCjqU1M5o0FsrrbERAhuOAJ9LDpMf8ACG3tPrMtyIBlZJCCDLvgCeOus2
Bap5RBmCPE68bWjdF1uoj1w=
=exEE
-----END PGP SIGNATURE-----



More information about the unisog mailing list