[unisog] IPS

Gary Flynn flynngn at jmu.edu
Wed Feb 9 17:37:08 GMT 2005

Regarding the denial of service potential of IPS

To a large degree, it is a configuration issue. Different
vendors have different capabilities. For example:

1. You could block only packets that are detected as
    carrying malicious payload or being out of spec.

     e.g. out of spec DNS packets
     e.g. HTTP packet carrying malicious payload

     Generally, you're just dropping a single packet
     containing malicious content without closing sessions
     or impacting future communications so spoofed packets
     shouldn't affect good traffic. Of course, if the
     spoofed traffic overloads resources you'd have a
     problem but that is true along the entire chain with
     or without the IPS.

2. You could drop sessions associated with those packets.

    e.g. Drop an SMTP session if an attempt is made to
         transfer malicious content (generally not a good
         idea by the way but useful as an example)
    e.g. Drop a telnet session if too many unsuccessful
         logins are seen

    A spoof here could close a session. But if the IPS is
    maintaining state, including TCP sequence numbers, it
    would not be trivial and the attacker would generally
    have to have access to the traffic stream.

3. You could block further communications of various
    subsets of the parties involved in the communications
    that were flagged. This is where the highest risk of
    denial of service arises.

    e.g. Block all further HTTP requests for a defined time
         from an outside IP address requesting cmd.exe
    e.g. Block all further requests from your clients for
         a defined time to an HTTP server that is serving
         IE exploits
    e.g. Block all further requests from an outside IP
         address for a defined period of time that is
         scanning your network

    Spoofing difficulty varies with the type of session.
    TCP always being more difficult than UDP. Completed
    TCP sessions more difficult than sending only SYNs.
    To spoof an external web server to send a malicious
    response to a client would not be trivial. To spoof
    a desired server as a client hitting your web server
    would be easier assuming you can complete the TCP
    handshake. Flooding with frag, icmp, or udp packets
    that trigger an IPS's reaction without session state
    would be easy.

Its a matter of carefully considering the risk vs protection
tradeoffs and being able to adjust as conditions change.
I'm sure I've missed some opportunities for abuse but
connecting to the Internet was the biggest one. :)

Gary Flynn
Security Engineer
James Madison University

More information about the unisog mailing list