Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (IDS)
From: tqbf () pobox com
Date: Mon, 6 Jul 1998 02:55:40 -0500 (CDT)
was for different OSes. I'd have to agree with that. No IDS will catch 100% of the attacks, and not even 100% of known attacks if they are presented in different packet-breaking
The "80% solution" argument you're pitching isn't valid. If we decide tomorrow to release tools to allow attackers to craft "stealth" exploits, the 80% of attacks sniffer-I-D systems catch will rapidly be degraded to 75%, 60%, 50%, and so on.
My question towards that end is: Isn't there some common thing to look for with these funny streams that will identfiy it as a problem, if not that it's a /cgi-bin/phf attack?
Possibly. The issue you contend with here is false positives, not only because some common IP stacks are buggy (Vern Paxson discovered TCP stacks that actually perform inconsistant TCP retransmissions, which I think is really amusing), but because the Internet (diverse and unstable network paths) can do lots of weird things to otherwise normal traffic. Of course, the underlying problem for consumers is that checking for "weird fragmentation" and alarming on that instead of on "PHF attack" reduces the value of your IDS dramatically --- you no longer know what type of attacks are occuring on your network, just that you are in some way under attack. Is this capability worth tens of thousands of dollars to you?
For your question... if it's done on the firewall machine, i'd assume the firewall would reassemble it one particular way, which would prevent the attack from working, but might not allow the IDS to identify it as an attempt. I guess that would be more for layer 3
The firewall stack can flag as an attack weird fragment streams. ----------------------------------------------------------------------------- Thomas H. Ptacek SNI Labs, Network Associates, Inc. ----------------------------------------------------------------------------- http://www.pobox.com/~tqbf "If you're so special, why aren't you dead?"
Current thread:
- Re: Proxy 2.0 secure? (IDS) Kjell Wooding (Jul 02)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (IDS) Ryan Russell (Jul 02)
- Re: Proxy 2.0 secure? (IDS) tqbf (Jul 07)
- RE: Proxy 2.0 secure? (IDS) ICMan (Jul 03)
- Re: Proxy 2.0 secure? (IDS) David Lang (Jul 07)