[ISN] Web Attack Crashes TippingPoint IPS

From: InfoSec News (isn@private)
Date: Wed Jan 18 2006 - 01:07:31 PST


http://www.eweek.com/article2/0,1895,1912048,00.asp

By Paul F. Roberts 
January 17, 2006 

Mysterious Web attack traffic caused some of 3Com Corp.'s TippingPoint
IPS devices to crash last week, requiring a hasty patch by the
company.

Some TippingPoint customers had their IPS (intrusion prevention
system) appliances crash while trying to process a specific kind of
Internet attack traffic last week.

The company learned of the problem on Friday and issued an update for
the TOS (TippingPoint OS) software within hours, said Laura Craddick,
TippingPoint's public relations manager.

At York University in Toronto, TippingPoint IPS devices began crashing
repeatedly on Friday, Jan. 13, prompting a call to the vendor, said
Ramon Kagan of the University's Computing and Network Services
department.

The crashes were caused by malicious HTTP traffic that attempted to
trigger a known security vulnerability in another product. The HTTP
attack traffic eventually caused the TOS software, which runs the IPS
company's appliances, to crash, bringing down the whole device, he
said.

Reports of the crashes were sporadic, because only a very specific
type of attack traffic triggered the hole, Kagan said. He declined to
provide details about the malicious traffic that crashed the IPS
devices.

Complaints about the problem reached the Austin, Texas, company on
Friday; about one day after TippingPoint shipped updated attack
signatures to its clients. 3Com released new versions of the TOS
software to address the issue, Craddick said.

Customers who were affected by the crashes speculated in an online
discussion group that they may have been caused by a conflict with new
attack signatures distributed the day before.

However, TippingPoint contends that the behavior was caused by a flaw
in the TOS software, not by a bad signature, Craddick said.

The university has been using TippingPoint's IPS technology for two
years, Kagan said.

With the TippingPoint appliance offline, staff at York University had
to deal with a mild increase in traffic, and used IDS (intrusion
detection system) software to filter out some attacks. However, Kagan
expressed satisfaction that 3Com responded within five hours with a
software patch that fixed the problem.

Customers who have not done so should upgrade their TippingPoint
appliances to version 2.1.4.6324 or 2.2.1.6506 of TOS, Craddick said.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Wed Jan 18 2006 - 01:27:40 PST