IDS mailing list archives
RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 16 Dec 2002 20:28:56 -0600
On Mon, 2002-12-16 at 13:46, Dudley, Brian (ISS Chicago) wrote:
A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web servers that do not exist. Then the hacker or automated worm takes this information and tries to launch an attack at these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request to an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate address. The only thing that matters is you are trying to attack a host that does not exist. Now if you get lucky and launch an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however automated attacks take scan info and launch at all IP's and therefore worms like slapper or Code Red should be automatically blocked. This product is a supplement to regular IDS/IPS which will detect and block single host attacks with no pre-attack probe. The beauty is that it blocks un-known automated attacks like Code Red, Nimda, Slapper, etc... Remember Defense in Depth... There is no silver bullet...
Brian, thanks, that's the only scenario I could come up with as well, which unfortunately requires a large pool of available IPs for fake hosts. A smaller subnet, say a /28 with 10 web servers doesn't seem to benefit from it very much. At the same time, one might want to just block anyone that hits an unused IP address. I fail to see where the correlation comes in with a shine.
Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source address of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which could potentially DOS your network. This may be mitigated if ActiveScout ensures that a full TCP session is established before blocking the offending IP.
There are always risks with any automated response (I personally prefer a silent drop over a TCP reset). Those risks can be minimized, but I don't want to get into those arguments anymore (they are probably in the archives when you search for SnortSam and such... ;) To reword (and translate) what Oded said, using your explanation: |The technology has several interesting attributes. To name a few: | |- It is independent of the payload of the attack. This enables | detection | of attacks not known to the security community. Of course it doesn't care about the payload. It just triggers on any type of packet to unused IP's. No need to inspect the packet payload. (Also no need to provide a bogus banner....hmmm....) |- It is not sensitive to whether the attack comes from the same source | (IP address) as the reconnaissance. Au contraire: this is actually | where it shines. Again, any source accessing unused IP's could be punished. I fail to understand the purpose of this sentence given Brian's explanations. |- The detection is extremely accurate, allowing for automatic blocking | to be enabled without fear of blocking legitimate business. Of course, if you only trigger on used IP's... |- It is not dependent on the actual probing technique (e.g. simple TCP | connect, FTP bounce, sent along with decoy addresses, etc.). Again, any packet to an used IP's can trigger an action, nothing fancy here either. |- Attacks are detected at an extremely early stage, when the payload | usually has no impact (yet), allowing time for effective blocking | (using a firewall, or tearing down TCP connection before the TCP | window opens up). Does 'extremely early stage' translate to 'before tcp 3-way is established? Of course, the syn to an unused IP is enough, no need to complete a handshake... The "we'll present fake hosts and block anyone accessing those" explanation is sooo much more down to earth than the advertised version. Sounds like the 'markers' are just fake services represented through fake banners on ports of unused IP's. I'm not sure what else could be used to "bait'n'track" an attacker, perhaps a fake FTP site with a fake user account list? If the markers extend beyond just fake banners, then I remain interested. Otherwise I just continue to block sources that access unused IP addresses since it seems to have the same result. This is all provided that Brian's explanation of the product is accurate. If that's the case, then this is great example on how carefully crafted advertising language can make a product appear to be something larger than it is. Should Brian's explanation not be accurate, I encourage Forescout to provide further details. Otherwise I'll file it under 'Deceptive Marketing' in the Doghouse.... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- ForeScout ActiveScout (was: Re: Intrusion Prevention) Oded Comay (Dec 15)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 15)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- <Possible follow-ups>
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Adam Powers (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dudley, Brian (ISS Chicago) (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Karl Lynn (Dec 16)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Frank Knobbe (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Omar Herrera (Dec 17)
- RE: ForeScout ActiveScout (was: Re: Intrusion Prevention) Matthew L. McGuirl (Dec 17)
- Re: ForeScout ActiveScout (was: Re: Intrusion Prevention) Dug Song (Dec 17)