Re: IPS Futures

[nick black <dank () qemfd net>]

On 2004-07-22, Ed Donegan <danceslikewhiteguy () hotmail com> wrote:
> I am curious how even wire speed IPS's analyze fragmented attacks without 
> introducing network latency. Seems it would be a fairly fundamental problem 
> for an inline network device.

You agree that the recipient host can't have latency less than the time
required for all fragments to reach it and be reassembled, no?  Provided
that, and discounting aggregate processing latency in the IPS due to
dealing with more iterations of per-packet code, there need be no
increased latency.  Our product allows each fragment through until
either a grave anomaly is noted, or the reassembled packet (modulo some
attempts to ameliorate insertion / deletion attacks) is analyzed as it
would have appeared prior to fragmentation.  Any one of these fragments
may be individually dropped, and so long as retransmits are also dropped
(and remember, fragments themselves can't be noted as missing ala TCP
segments), the attack is stopped and eventually ICMP Reassembly Time
Exceeded messages shall be your reward -- provided slick SMOPping, your
IPS can hopefully keep the rogue info long enough to block successfully.

You want to watch the fragments anyway, as they can give interesting
hints about all kinds of things.

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."
free hearts, free foreheads -- you and i are old; old age hath yet his honour
and his toil; death closes all: but something ere the end, some work of noble
note, may yet be done, not unbecoming men that strove with gods.   (tennyson)


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------