RE: Automated IDS response

From: Robert Graham (robert_david_grahamat_private)
Date: Sat Feb 12 2000 - 09:03:51 PST

Next message: Michael H. Warfield: "Re: Automated IDS response"

Previous message: Bruce H. Nearon: "mitigating the lack of a firewall"
Maybe in reply to: Michael B. Rash: "Automated IDS response"
Next in thread: Michael H. Warfield: "Re: Automated IDS response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For example, if you see somebody pinging your machine looking for BackOrifice,
nothing happens. Not only can such things be spoofed, but you see a lot of them
from many hackers. What the hacker is really doing is scanning millions of
machines for BackOrifice. That is likely the only packet you'll ever see from
the hacker, so it isn't worthwhile destabilizing your firewall blocking the
person. The average cable-modem user gets 20 non-spoofed scans per day -- it
really isn't worthwhile reconfiguring the firewall for each one.

On the other hand, if you machine sees your machine respond to a BackOrifice
request, then it goes into a tizzy and starts blocking things and giving higher
priority alerts.

Robert Graham
CTO/Network ICE

--- "Kopf , Patrick E." <PEKopfat_private> wrote:
> Network Ice's BlackIce Defender IDS does this type of traffic blocking
> (based on type of attack).  Defender only blocks traffic for attacks that
> are 'non-spoofable'.  I don't know if they're the only IDS that does this or
> not.
> 
> Pat Kopf
> 
> -----Original Message-----
> From: Michael B. Rash [mailto:mbrat_private]
> Sent: Thursday, February 10, 2000 6:09 PM
> To: firewall-wizardsat_private
> Subject: Automated IDS response
> 
> 
> 
> Having your IDS respond automatically to an IP that is generating
> questionable traffic by dynamically managing your router ACLs (or other
> similar action; tcpwrappers, ipchains, etc...) to deny all traffic from
> the IP can be a risky thing to do from a DoS perspective; nmap's decoy
> option comes to mind.
> 
> It would seem that any IDS should only block traffic from an IP
> based on an attack signature that requires bi-directional communication,
> like a CGI exploit over http/80 or something.  Are there guidelines for
> deploying IDS response that discusses methods for minimizing false
> positives?  Are there any *good* ways of doing this?
> 
> --Mike
> http://www.math.umd.edu/~mbr
> 
> 

=====
Robert Graham  http://www.robertgraham.com/pubs
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Next message: Michael H. Warfield: "Re: Automated IDS response"
Previous message: Bruce H. Nearon: "mitigating the lack of a firewall"
Maybe in reply to: Michael B. Rash: "Automated IDS response"
Next in thread: Michael H. Warfield: "Re: Automated IDS response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:17 PDT