nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Checkpoint IPS

From: "Roland Dobbins" <rdobbins () arbor net>
Date: Fri, 06 Feb 2015 21:18:08 +0700

On 6 Feb 2015, at 20:08, Ray Soucy wrote:


An IDS tied into an internal RTBH setup to leverage uRPF filtering in
hardware can be pretty effective at detecting and blocking the typical
UDP attacks out there before they reach systems that don't handle that
as gracefully (e.g. firewalls or host systems).
Using flow telemetry for this scales much, much better. One could easily set something like this up using open source flow telemetry collection/analysis tools.
Of course, giving attackers the ability to spoof the IP addresses of their choice and then induce your network infrastructure into blocking said IP addresses isn't necessarily optimal, IMHO. I'm not a big fan of any kind of auto-mitigation for this reason - it's best to have a human operator in the loop.
If one is determined to do this kind of auto-mitigation, it's probably a good idea to whitelist certain things which ought never to be S/RTBHed via appropriate route filtering on the trigger and/or edge devices where traffic will be dropped. 

-----------------------------------
Roland Dobbins <rdobbins () arbor net>
Previous By Date Next
Previous By Thread Next

Current thread: