IDS mailing list archives
Re: amount of alarms generated by IDS
From: Dennis Cox <dcox () tippingpoint com>
Date: Tue, 11 May 2004 23:36:57 -0500
Jason,I had to take you up on your offer. Here's a recent example we heard back from a customer.
A large cable company that provides Broadband Internet access uses software to monitor and provide troubleshooting support for subscribers. When their DNS server changed the software caused a terrible traffic problem with a large number of DNS requests. Using our IPS they were able to do two things: One Traffic Thresholds gave them the ability to detect and act on by blocking or rate shaping (administrators choice) the abnormal traffic. The threshold detected a large amount of DNS traffic of a certain type and limited DNS traffic of this type to a preset amount (10 percent of total bandwidth - it was eating up over 70 percent). They were able to write a filter for this traffic and install it in the IPS' to remove the traffic in the end. A good example of zero day protection.
Another example of how an IPS can protect you is by bad network equipment. A Sun Server had a bad ethernet cable that was creating malformed packets that would knock out the ********** firewall. It basically created an ISIC attack in it's own way. An IPS was installed and the firewall was fine. The customer however noted that he was still dropping lots of traffic. Sure enough the IPS was dropped the invalid ethernet frames and notifying them. He investigated - replaced the ethernet cable and problem solved.
So in both these cases an IPS was able to detect "wacky" network conditions and protect the network (or help diagnose - depends on your point of view). Your statement regarding patching is true - it's a really good idea. However, what do you do when a patch comes out and you need to install it on 30,000 machines before the attack comes out (sometimes the next day)? Or if your a University - how do you patch machines that aren't yours?
Dennis On May 11, 2004, at 5:12 PM, Jason wrote:
I am looking for examples of any case where an inline IPS blocked anattack that would not have been blocked or mitigated otherwise by a goodfirewall and patching or mitigating a known vulnerability.----------------------------------------------------------------------- ----
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS, (continued)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)
- Hi, I want to study IPS cto (May 11)
- RE: Hi, I want to study IPS Shawn (May 13)
- Re: amount of alarms generated by IDS nick black (May 14)
- Re: amount of alarms generated by IDS Stefano Zanero (May 22)
- Re: amount of alarms generated by IDS nick black (May 25)