[unisog] IPS

Bauer, Steven J. Steve.Bauer at sdsmt.edu
Wed Feb 9 18:10:05 GMT 2005

Would the spoofed ips really be a problem depending on where the ips is
deployed at?  Normally, the spoofed ip packets should be blocked by some
router(s) that have an idea of what ip packets they should forward.
Basically, the defense in depth method rather then depending on one
device to do it all.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Wednesday, February 09, 2005 10:09 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] IPS 

On Wed, 09 Feb 2005 11:30:12 EST, Wes Young said:
> Hash: SHA1
> but what about the IPS's that only block the bad traffic, in theory,
> shouldnt an ips only block those packets that are spoofed, and not the
> one's that (it detects) are real?

And it tells the difference, *how* exactly?  If you were to see a TCP
packet coming from, how do you know it came from my
and not some host in Taiwan? (Remember you'll almost certainly receive
packet from the same upstream router in either case, unless you're a
ASN and you *know* why UPRF filtering doesn't work for you. ;)

> day to day buisiness.... If it detects a spoofed IP it should drop
> but if reg traffic is mixed in there, it should only drop the

More information about the unisog mailing list