[unisog] IPS

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 9 17:08:50 GMT 2005


On Wed, 09 Feb 2005 11:30:12 EST, Wes Young said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> but what about the IPS's that only block the bad traffic, in theory,
> shouldnt an ips only block those packets that are spoofed, and not the
> one's that (it detects) are real?

And it tells the difference, *how* exactly?  If you were to see a TCP SYN
packet coming from 128.173.14.107, how do you know it came from my laptop
and not some host in Taiwan? (Remember you'll almost certainly receive the
packet from the same upstream router in either case, unless you're a multihomed
ASN and you *know* why UPRF filtering doesn't work for you. ;)

> day to day buisiness.... If it detects a spoofed IP it should drop it...
> but if reg traffic is mixed in there, it should only drop the spoofs???

3514 The Security Flag in the IPv4 Header. S. Bellovin. April-01-2003.
     (Format: TXT=11211 bytes) (Status: INFORMATIONAL)

http://www.ietf.org/rfc/rfc3514.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050209/4503238f/attachment-0002.bin


More information about the unisog mailing list