nanog mailing list archives
Re: Checkpoint IPS
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Fri, 06 Feb 2015 21:18:08 +0700
On 6 Feb 2015, at 20:08, Ray Soucy wrote:
An IDS tied into an internal RTBH setup to leverage uRPF filtering in hardware can be pretty effective at detecting and blocking the typical UDP attacks out there before they reach systems that don't handle that as gracefully (e.g. firewalls or host systems).
Using flow telemetry for this scales much, much better. One could easily set something like this up using open source flow telemetry collection/analysis tools.
Of course, giving attackers the ability to spoof the IP addresses of their choice and then induce your network infrastructure into blocking said IP addresses isn't necessarily optimal, IMHO. I'm not a big fan of any kind of auto-mitigation for this reason - it's best to have a human operator in the loop.
If one is determined to do this kind of auto-mitigation, it's probably a good idea to whitelist certain things which ought never to be S/RTBHed via appropriate route filtering on the trigger and/or edge devices where traffic will be dropped.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: Checkpoint IPS, (continued)
- Re: Checkpoint IPS Nick Hilliard (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Valdis . Kletnieks (Feb 05)
- Re: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Terry Baranski (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 05)
- Re: Checkpoint IPS Ray Soucy (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Ca By (Feb 07)
- Re: Checkpoint IPS BPNoC Group (Feb 08)
- Re: Checkpoint IPS Roland Dobbins (Feb 08)
- Re: Checkpoint IPS Colin Johnston (Feb 06)