Re: Proxy 2.0 secure? (IDS)

[tqbf () pobox com]

> was for different OSes.  I'd have to agree with that.  No
> IDS will catch 100% of the attacks, and not even 100% of
> known attacks if they are presented in different packet-breaking

The "80% solution" argument you're pitching isn't valid. If we decide
tomorrow to release tools to allow attackers to craft "stealth" exploits,
the 80% of attacks sniffer-I-D systems catch will rapidly be degraded to
75%, 60%, 50%, and so on. 

> My question towards that end is:  Isn't there some common
> thing to look for with these funny streams that will identfiy
> it as a problem, if not that it's a /cgi-bin/phf attack?

Possibly. The issue you contend with here is false positives, not only
because some common IP stacks are buggy (Vern Paxson discovered TCP stacks
that actually perform inconsistant TCP retransmissions, which I think is
really amusing), but because the Internet (diverse and unstable network
paths) can do lots of weird things to otherwise normal traffic.

Of course, the underlying problem for consumers is that checking for
"weird fragmentation" and alarming on that instead of on "PHF attack"
reduces the value of your IDS dramatically --- you no longer know what
type of attacks are occuring on your network, just that you are in some
way under attack. Is this capability worth tens of thousands of dollars to
you?

> For your question... if it's done on the firewall machine, i'd
> assume the firewall would reassemble it one particular
> way, which would prevent the attack from working,
> but might not allow the IDS to identify it as an
> attempt.  I guess that would be more for layer 3

The firewall stack can flag as an attack weird fragment streams.

-----------------------------------------------------------------------------
Thomas H. Ptacek                           SNI Labs, Network Associates, Inc.
-----------------------------------------------------------------------------
http://www.pobox.com/~tqbf       "If you're so special, why aren't you dead?"