RE: IDS that retaliates.

From: Steve (steve@securesolutions.org)
Date: 03/08/02


From: "Steve" <steve@securesolutions.org>
To: "'Kohlenberg, Toby'" <toby.kohlenberg@intel.com>, "'Marcus J. Ranum'" <mjr@nfr.com>, "'Mark Crosbie'" <mcrosbie@cup.hp.com>, "'Carr, Aaron [CNTUS]'" <CarrA@Centocor.com>
Date: Thu, 7 Mar 2002 20:22:46 -0700

I think what Marcus was referring to what was "coming in the next 4 or 5
years" was the ability for Intrusion Detection to be more reliable. I
highly doubt we will every see 100% but we should be able to get close.
As far as IDS' that retaliates, there are current products out there
that will reconfigure your firewall, drop connections, and in some cases
even blackhole addresses. This of course, depending on the technology
can lead to some interesting denial of service attacks were you use this
"smart IDS" to effectively block portions of the net out.

Here is an amusing story I will share -- names have been changed to
protect the guilty. There is a product, that is marketed as a personal
firewall for the corporate end users. This product has some IDS type
features such as when it detects a port scan it will automatically add
the offending IP address to a DENY ALL ruleset.

What was interesting about this product was that if an IP address was in
the DENY ALL listing, no traffic would be allowed in to the protected
host or out from the protected host to that IP address. Some colleagues
of mine took a look at this product and found that the way it detected
port scans was based on a TXT file that was essentially a list of ports
to monitor once of the listed ports was hit with a connection attempt
(or half connection) it would automatically consider it a port scan and
block the offending IP address.

Obviously this is a flawed design and combined with the fact that the
product does not handle spoofed IP addresses (it makes no effort to
determine if the attacking IP is really the attacking IP) makes for some
great DoS attacks.

Steve Manzuik
Secure Solutions
www.securesolutions.org

> -----Original Message-----
> From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com]
> Sent: Thursday, March 07, 2002 2:52 PM
> To: 'Marcus J. Ranum'; Mark Crosbie; Carr, Aaron [CNTUS]
> Cc: 'charles.skoglund@om.com';
> security-basics@securityfocus.com; focus-ids@securityfocus.com
> Subject: RE: IDS that retaliates.
>
>
> NOTE: All opinions are my own and in no way reflect the views
> of my employer.
>
> Actually, the capabilities you describe as coming in the next
> 4 or 5 years for IDS are here or coming in the next year for
> central monitoring consoles. By implementing it in a
> sensor-neutral system you can implement a solution that
> performs the confidence evaluation using detection tools that
> are best-of-breed (as cliche as that line
> is) for their specific technique- protocol analysis, traffic
> analysis or straight signature matching.
>
> Toby
>
> > -----Original Message-----
> > From: Marcus J. Ranum [mailto:mjr@nfr.com]
> > Sent: Wednesday, March 06, 2002 4:01 PM
> > To: Mark Crosbie; Carr, Aaron [CNTUS]
> > Cc: 'charles.skoglund@om.com'; security-basics@securityfocus.com;
> > focus-ids@securityfocus.com
> > Subject: RE: IDS that retaliates.
> >
> >
> > Mark Crosbie wrote:
> > >What good does retaliation really get you though (apart
> from a whole
> > >load of legal headache)? Wouldn't "recovery" be a better
> goal to aim
> > >for?
> >
> > We've often gotten requests for "firewall reconfiguration" or
> > other types
> > of "reaction" - what's interesting to me is that all these requests:
> > - reaction
> > - retaliation
> > - repair
> > will be limited by the degree of certainty the IDS is able to
> > achieve. If
> > you've got a 100% accurate diagnosis of the attack and its
> source then
> > you _might_ be able to take some steps. If it's not 100%
> accurate then
> > things start to go rapidly downhill. :) I think that in the
> > next 4 or 5 years
> > we'll see IDS getting close to being able to do such things
> > but before we
> > get there, you'll see:
> > - IDS correlation of significance: mapping events
> > against types of
> > attacks against types of targets and re-prioritizing their
> > significance.
> > - IDS indication of confidence level: IDS will start
> > to associate a
> > confidence value with an alert instead of just a
> > severity. This is an
> > "oh, DUH!" that a lot of us security guys have had
> > recently: the
> > severity of the problem is _not_ the same as the
> > IDS' confidence
> > of its diagnosis.
> > - Establishment of mapping between significance
> > (operationally set)
> > of targets versus reactions.
> >
> > Heck, I'd like my system not to retaliate or reconfigure but
> > to fix itself. :)
> >
> > ALERT: SYSALERT, Severity=10, Confidence=10 - your system was
> > vulnerable to attacks that are being launched against it.
> OpenBSD has
> > automatically been installed replacing the copy of Linux
> that was on
> > it...
> >
> > :)
> >
> > mjr.
> >
>



Relevant Pages

  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
    (Focus-IDS)
  • RE: IDS that retaliates.
    ... years" was the ability for Intrusion Detection to be more reliable. ... As far as IDS' that retaliates, there are current products out there ... can lead to some interesting denial of service attacks were you use this ... port scans was based on a TXT file that was essentially a list of ports ...
    (Security-Basics)
  • RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on
    ... detection methodology. ... outbound TCP80 connections were considered "bad", the IDS should ... Subject: Crying wolf: False alarms hide attacks: Eight IDSs fail to ... Actually, NFR's NID does look for server type, and records it when we ...
    (Focus-IDS)
  • RE: Firewall or IDS
    ... Most if not all IDS's cannot really look at SSL streams for attacks ... Subject: Firewall or IDS ... special or a port 443 ...
    (Focus-Microsoft)
  • RE: Intrusion Prevention
    ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
    (Focus-IDS)