Educause Security Discussion mailing list archives
Re: IPS vulnerable to Spoofing
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 17 Feb 2006 13:25:09 -0500
On Thu, 16 Feb 2006 18:43:00 PST, John Kemp said:
Most of the IPS's have exemption lists that the owner can create in order to guarantee that this kind of event does not happen.
True. If it *doesn't* have a whitelist ability, run. Quickly.
Most institutions also take anti-spoofing measures in their networks at the border for remote attacks and at each subnet interface internally to prevent local attacks by limitted checking of source IP addresses.
Unfortunately, this is wishful thinking. There's large chunks of the Internet that don't do proper ingress/egress filtering. The best current estimate of the prevalence of proper filtering is probably the Spoofer project at MIT: http://momo.lcs.mit.edu/spoofer/summary.php They show only a 75% or so usage of filtering. This is likely to be too high, as it's an estimate based on only 1,900 or so data points - and Spoofer has almost certainly been fed data predominantly from the sort of networks that have a security clue. They probably have almost zero data points from the clueless networks that don't read the mailing lists where Spoofer has been mentioned. My personal gut feeling is that the actual number is probably between 50 and 60%, hardly an overwhelming "most".
Attachment:
_bin
Description:
Current thread:
- IPS vulnerable to Spoofing Dave Huth (Feb 16)
- <Possible follow-ups>
- Re: IPS vulnerable to Spoofing John Kemp (Feb 16)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)
- Re: IPS vulnerable to Spoofing Valdis Kletnieks (Feb 17)