Firewall Wizards mailing list archives
RE: Automated IDS response
From: Robert Graham <robert_david_graham () yahoo com>
Date: Sat, 12 Feb 2000 09:03:51 -0800 (PST)
For example, if you see somebody pinging your machine looking for BackOrifice, nothing happens. Not only can such things be spoofed, but you see a lot of them from many hackers. What the hacker is really doing is scanning millions of machines for BackOrifice. That is likely the only packet you'll ever see from the hacker, so it isn't worthwhile destabilizing your firewall blocking the person. The average cable-modem user gets 20 non-spoofed scans per day -- it really isn't worthwhile reconfiguring the firewall for each one. On the other hand, if you machine sees your machine respond to a BackOrifice request, then it goes into a tizzy and starts blocking things and giving higher priority alerts. Robert Graham CTO/Network ICE --- "Kopf , Patrick E." <PEKopf () missi ncsc mil> wrote:
Network Ice's BlackIce Defender IDS does this type of traffic blocking (based on type of attack). Defender only blocks traffic for attacks that are 'non-spoofable'. I don't know if they're the only IDS that does this or not. Pat Kopf -----Original Message----- From: Michael B. Rash [mailto:mbr () math umd edu] Sent: Thursday, February 10, 2000 6:09 PM To: firewall-wizards () nfr net Subject: Automated IDS response Having your IDS respond automatically to an IP that is generating questionable traffic by dynamically managing your router ACLs (or other similar action; tcpwrappers, ipchains, etc...) to deny all traffic from the IP can be a risky thing to do from a DoS perspective; nmap's decoy option comes to mind. It would seem that any IDS should only block traffic from an IP based on an attack signature that requires bi-directional communication, like a CGI exploit over http/80 or something. Are there guidelines for deploying IDS response that discusses methods for minimizing false positives? Are there any *good* ways of doing this? --Mike http://www.math.umd.edu/~mbr
===== Robert Graham http://www.robertgraham.com/pubs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)