Re: IPS vulnerable to Spoofing

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 16 Feb 2006 18:43:00 PST, John Kemp said:

> Most of the IPS's have exemption lists that the owner can
> create in order to guarantee that this kind of event does not happen.

True.  If it *doesn't* have a whitelist ability, run. Quickly.

> Most institutions also take anti-spoofing measures in their networks at
> the border for remote attacks and at each subnet interface internally
> to prevent local attacks by limitted checking of source IP addresses.

Unfortunately, this is wishful thinking.  There's large chunks of the Internet
that don't do proper ingress/egress filtering.

The best current estimate of the prevalence of proper filtering is probably
the Spoofer project at MIT:

 http://momo.lcs.mit.edu/spoofer/summary.php

They show only a 75% or so usage of filtering.  This is likely to be
too high, as it's an estimate based on only 1,900 or so data points - and
Spoofer has almost certainly been fed data predominantly from the sort
of networks that have a security clue.  They probably have almost zero
data points from the clueless networks that don't read the mailing lists
where Spoofer has been mentioned.  My personal gut feeling is that the
actual number is probably between 50 and 60%, hardly an overwhelming "most".

Attachment: _bin
Description: