flynngn at jmu.edu
Wed Feb 9 17:37:08 GMT 2005
Regarding the denial of service potential of IPS
To a large degree, it is a configuration issue. Different
vendors have different capabilities. For example:
1. You could block only packets that are detected as
carrying malicious payload or being out of spec.
e.g. out of spec DNS packets
e.g. HTTP packet carrying malicious payload
Generally, you're just dropping a single packet
containing malicious content without closing sessions
or impacting future communications so spoofed packets
shouldn't affect good traffic. Of course, if the
spoofed traffic overloads resources you'd have a
problem but that is true along the entire chain with
or without the IPS.
2. You could drop sessions associated with those packets.
e.g. Drop an SMTP session if an attempt is made to
transfer malicious content (generally not a good
idea by the way but useful as an example)
e.g. Drop a telnet session if too many unsuccessful
logins are seen
A spoof here could close a session. But if the IPS is
maintaining state, including TCP sequence numbers, it
would not be trivial and the attacker would generally
have to have access to the traffic stream.
3. You could block further communications of various
subsets of the parties involved in the communications
that were flagged. This is where the highest risk of
denial of service arises.
e.g. Block all further HTTP requests for a defined time
from an outside IP address requesting cmd.exe
e.g. Block all further requests from your clients for
a defined time to an HTTP server that is serving
e.g. Block all further requests from an outside IP
address for a defined period of time that is
scanning your network
Spoofing difficulty varies with the type of session.
TCP always being more difficult than UDP. Completed
TCP sessions more difficult than sending only SYNs.
To spoof an external web server to send a malicious
response to a client would not be trivial. To spoof
a desired server as a client hitting your web server
would be easier assuming you can complete the TCP
handshake. Flooding with frag, icmp, or udp packets
that trigger an IPS's reaction without session state
would be easy.
Its a matter of carefully considering the risk vs protection
tradeoffs and being able to adjust as conditions change.
I'm sure I've missed some opportunities for abuse but
connecting to the Internet was the biggest one. :)
James Madison University
More information about the unisog