Penetration Testing mailing list archives
Re: AppScan and IDS evasion
From: TH <fsbo () haverkos com>
Date: Fri, 27 Jun 2008 16:53:37 -0500
Chroot <chrooted () gmail com> writes:
Isn't this a vulnerability in itself that your client blocks an IP address. This could result in a DoS attack if you can spoof source IP address. In my book IPS should block the attack not the source. Source can be spoofed.
I agree--IDS's that lock out entire IP's based on attack signature triggering are quite brain dead, and can be weaponized against their owners. I'm not an IPS expert, but I would certainly have clients avoid ones that behave as the OP described. Good IDS's block only the troublesome packets/streams of traffic itself rather than wholesale lockouts based on IP. For instance, what if an attacker with nice network connectivity such that they can spoof packets without any filtering, and then they run snot or sneeze, or whatever the IDS/IPS triggering tool of chioce is...while spoofing traffic as though its coming from... $ for i in a b c d e f g h i j k l m ; do dig +short $i.root-servers.net; done 198.41.0.4 192.228.79.201 192.33.4.12 128.8.10.90 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33 If suddenly the target network's IPS locked out any traffic (including solicited responses) from any of those addresses.... Name resolution for that entire network would cease to work all that well. Those servers are the 13 DNS root nameservers. Happily, there are better IPS's out there. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: AppScan and IDS evasion Chroot (Jun 27)
- Re: AppScan and IDS evasion Pen Testing (Jun 27)
- Re: AppScan and IDS evasion TH (Jun 27)
- Re: AppScan and IDS evasion Chris Brenton (Jun 28)
- <Possible follow-ups>
- Re: AppScan and IDS evasion Joseph McCray (Jun 29)
- RE: AppScan and IDS evasion admin (Jun 29)
- RE: AppScan and IDS evasion Marco Ivaldi (Jun 30)