[unisog] IPS

marchany at vt.edu marchany at vt.edu
Wed Feb 9 19:55:34 GMT 2005


>Umm... you can deal with spoofed packets from your own network but how
>can any router under your control know that the source address is
>spoofed?  It can't and nor can your IPS.

One would hope your netadmins have properly set up the ACL on ALL routers to 
trash spoofed IPs from outside your (sub)net. That restricts the spoofer and 
spoofee to the same subnet. It doesn't prevent spoofing within the subnet but 
at least you've narrowed the suspects down a little.

We've seen DOS attacks aimed at blocking machines on subnets. An easy way to 
test your IPS is to craft some packets using something like HPING2 and see how 
the IPS reacts. Some of my early tests showed it was quite easy to DOS an 
IPS'd subnet from itself :-) using hping2. While I hesitate to use the term 
IPS for something like portsentry, it was easy to fake the portsentry'd host 
into blocking an unsuspecting host on the same subnet. We get so wrapped up 
trying to protect a host service that we sometimes fail to look at the DOS 
attack as a viable attack.

I used to test out password lockouts by intentionally entering fake passwords 
and seeing how long it took to reset the accounts. I used this reaction time 
to figure out how much of an attack window a hacker would have. Back in the 
late 90's, we experienced such an attack here. Critical accounts were locked 
out and the attack happened during the "reset" time window.  I haven't 
forgotten that lesson :-).

Gary is absolutely correct in pointing out that you have to be extremely 
careful balancing the risk vs. protection tradeoffs.

	Randy Marchany
	VA Tech




More information about the unisog mailing list