IDS mailing list archives
Re: IPS Futures
From: nick black <dank () qemfd net>
Date: Mon, 26 Jul 2004 12:05:24 +0000 (UTC)
On 2004-07-22, Ed Donegan <danceslikewhiteguy () hotmail com> wrote:
I am curious how even wire speed IPS's analyze fragmented attacks without introducing network latency. Seems it would be a fairly fundamental problem for an inline network device.
You agree that the recipient host can't have latency less than the time required for all fragments to reach it and be reassembled, no? Provided that, and discounting aggregate processing latency in the IPS due to dealing with more iterations of per-packet code, there need be no increased latency. Our product allows each fragment through until either a grave anomaly is noted, or the reassembled packet (modulo some attempts to ameliorate insertion / deletion attacks) is analyzed as it would have appeared prior to fragmentation. Any one of these fragments may be individually dropped, and so long as retransmits are also dropped (and remember, fragments themselves can't be noted as missing ala TCP segments), the attack is stopped and eventually ICMP Reassembly Time Exceeded messages shall be your reward -- provided slick SMOPping, your IPS can hopefully keep the rogue info long enough to block successfully. You want to watch the fragments anyway, as they can give interesting hints about all kinds of things. -- nick black "np: the class of dashed hopes and idle dreams." free hearts, free foreheads -- you and i are old; old age hath yet his honour and his toil; death closes all: but something ere the end, some work of noble note, may yet be done, not unbecoming men that strove with gods. (tennyson) -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IPS Futures Joel M Snyder (Jul 20)
- <Possible follow-ups>
- RE: IPS Futures M Shirk (Jul 22)
- RE: IPS Futures Rob Shein (Jul 25)
- RE: IPS Futures Ed Donegan (Jul 25)
- Re: IPS Futures nick black (Jul 26)