RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

[Frank Knobbe <fknobbe () knobbeits com>]

On Mon, 2002-12-16 at 13:46, Dudley, Brian (ISS Chicago) wrote: 
> A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web 
> servers that do not exist.   Then the hacker or automated worm takes this information and tries to launch an attack 
> at these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request 
> to an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate 
> address.  The only thing that matters is you are trying to attack a host that does not exist.  Now if you get lucky 
> and launch an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however 
> automated attacks take scan info and launch at all IP's and therefore worms like slapper or Code Red should be 
> automatically blocked.  This product is a supplement to regular IDS/IPS which will detect and block single host 
> attacks with no pre-attack probe.  The beauty is that it blocks un-known automated attacks like Code Red, Nimda, 
> Slapper, etc...  Remember Defense in Depth... There is no silver bullet...

Brian,

thanks, that's the only scenario I could come up with as well, which
unfortunately requires a large pool of available IPs for fake hosts. A
smaller subnet, say a /28 with 10 web servers doesn't seem to benefit
from it very much.

At the same time, one might want to just block anyone that hits an
unused IP address. I fail to see where the correlation comes in with a
shine.

> Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source 
> address of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which 
> could potentially DOS your network.  This may be mitigated if ActiveScout ensures that a full TCP session is 
> established before blocking the offending IP.

There are always risks with any automated response (I personally prefer
a silent drop over a TCP reset). Those risks can be minimized, but I
don't want to get into those arguments anymore (they are probably in the
archives when you search for SnortSam and such... ;)



To reword (and translate) what Oded said, using your explanation:

|The technology has several interesting attributes. To name a few:
|
|- It is independent of the payload of the attack. This enables 
|  detection
|  of attacks not known to the security community.

Of course it doesn't care about the payload. It just triggers on any
type of packet to unused IP's. No need to inspect the packet payload.
(Also no need to provide a bogus banner....hmmm....)

|- It is not sensitive to whether the attack comes from the same source
|  (IP address) as the reconnaissance. Au contraire: this is actually
|  where it shines.

Again, any source accessing unused IP's could be punished. I fail to
understand the purpose of this sentence given Brian's explanations.

|- The detection is extremely accurate, allowing for automatic blocking
|  to be enabled without fear of blocking legitimate business.

Of course, if you only trigger on used IP's...

|- It is not dependent on the actual probing technique (e.g. simple TCP
|  connect, FTP bounce, sent along with decoy addresses, etc.).

Again, any packet to an used IP's can trigger an action, nothing fancy
here either.

|- Attacks are detected at an extremely early stage, when the payload
|  usually has no impact (yet), allowing time for effective blocking
|  (using a firewall, or tearing down TCP connection before the TCP
|  window opens up).

Does 'extremely early stage' translate to 'before tcp 3-way is
established? Of course, the syn to an unused IP is enough, no need to
complete a handshake...


The "we'll present fake hosts and block anyone accessing those"
explanation is sooo much more down to earth than the advertised version.
Sounds like the 'markers' are just fake services represented through
fake banners on ports of unused IP's. I'm not sure what else could be
used to "bait'n'track" an attacker, perhaps a fake FTP site with a fake
user account list? If the markers extend beyond just fake banners, then
I remain interested. Otherwise I just continue to block sources that
access unused IP addresses since it seems to have the same result.

This is all provided that Brian's explanation of the product is
accurate. If that's the case, then this is great example on how
carefully crafted advertising language can make a product appear to be
something larger than it is. Should Brian's explanation not be accurate,
I encourage Forescout to provide further details.

Otherwise I'll file it under 'Deceptive Marketing' in the Doghouse....

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part