Educause Security Discussion mailing list archives

Re: IPS vulnerable to Spoofing

From: John Kemp <kemp () NETWORK-SERVICES UOREGON EDU>
Date: Thu, 16 Feb 2006 18:43:00 -0800

On Thursday 16 February 2006 17:52, Dave Huth wrote:

IPS systems detect attacks and react to stop the attack in real time.  An in-line IPS will usually filter the 
attacking traffic.  Out-of-band IPS systems usually reset the connection or insert a firewall rule to block the 
traffic.  In either case (especially out-of-band) an attacker can spoof an IP address of a valuable service having 
the IPS react not on the attacker but on the valuable service.

Has anyone done a risk assessment of out-of-band IPS with the spoof in mind?

Dave Huth
OIT Technical Services
University of Utah


Most of the IPS's have exemption lists that the owner can
create in order to guarantee that this kind of event does not happen.

Most institutions also take anti-spoofing measures in their networks at
the border for remote attacks and at each subnet interface internally
to prevent local attacks by limitted checking of source IP addresses.

--

John G. Kemp ( kemp () network-services uoregon edu )
http://security.uoregon.edu/ mailto:security () uoregon edu
pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130

Current thread:

IPS vulnerable to Spoofing Dave Huth (Feb 16)
- <Possible follow-ups>
- Re: IPS vulnerable to Spoofing John Kemp (Feb 16)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)