Re: AppScan and IDS evasion

[TH <fsbo () haverkos com>]

Chroot <chrooted () gmail com> writes:

> Isn't this a vulnerability in itself that your client blocks an IP
> address. This could result in a DoS attack if you can spoof source IP
> address. In my book IPS should block the attack not the source. Source
> can be spoofed.

I agree--IDS's that lock out entire IP's based on attack signature
triggering are quite brain dead, and can be weaponized against their
owners.  I'm not an IPS expert, but I would certainly have clients
avoid ones that behave as the OP described.  Good IDS's block only the
troublesome packets/streams of traffic itself rather than wholesale
lockouts based on IP.

For instance, what if an attacker with nice network connectivity such
that they can spoof packets without any filtering, and then they run
snot or sneeze, or whatever the IDS/IPS triggering tool of chioce
is...while spoofing traffic as though its coming from...

$ for i in a b c d e f g h i j k l m ; do  dig +short $i.root-servers.net; done
198.41.0.4
192.228.79.201
192.33.4.12
128.8.10.90
192.203.230.10
192.5.5.241
192.112.36.4
128.63.2.53
192.36.148.17
192.58.128.30
193.0.14.129
199.7.83.42
202.12.27.33

If suddenly the target network's IPS locked out any traffic (including
solicited responses) from any of those addresses....

Name resolution for that entire network would cease to work all that
well.  Those servers are the 13 DNS root nameservers. 

Happily, there are better IPS's out there.  







------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------