Re: [nsp] IDS shunning

From: Robert E. Seastrom (rs@seastrom.com)
Date: Wed Mar 20 2002 - 08:58:49 EST


"Travis Pugh" <tdp@discombobulated.net> writes:

> According to "Hank Nussbacher" <hank@att.net.il>:
>
>
> > If I understand correctly, shunning is basically setting up an
> ACL on the
> > adjacent router to block the bad traffic. The IDS box doesn't
> telnet into
> > the cisco router every time it needs to do a change. The IDS
> box sets up a
> > permanent telnet session that doesn't timeout and sits logged
> in to the
> > router 24x7! Then it automatically sets up the ACL.
> >
> > Does anyone actually do this?!
>
> It will also establish connectivity with a PIX via telnet or ssh
> and do the same thing ... as to actually implementing it, I would
> hope not. The potential for DoSing yourself with false
> positives, whether naturally occuring or done maliciously with
> spoofed headers, just seems too high to let your NIDS start
> writing ACLs on the fly.

The risk of DoSing yourself depends on how picky your NIDS is about
what it actually considers an attack. Netrangers successfully did
this years ago (they needed a special router, whose name I forget,
which was made by a division of StorageTek).

Of course, the possibilities for goading the IDS into shunning key
pieces of Internet infrastructure (say, the gTLD servers) with fake
portscans from forged addresses would seem to be high. Not to worry
though, the Netranger implementation at least timed out shunning an
address after a configurable period of time, so by the time you, the
guy who runs the network, get around to taking a look at the problem,
it will have fixed itself... giving an opportunity for a BOFH Moment (tm).

                                        ---Rob



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:08 EDT