Re: [nsp] IDS shunning

From: Travis Pugh (tdp@discombobulated.net)
Date: Wed Mar 20 2002 - 10:06:28 EST


According to Robert E. Seastrom <rs@seastrom.com>:

> The risk of DoSing yourself depends on how picky your NIDS is
about
> what it actually considers an attack. Netrangers successfully
did
> this years ago (they needed a special router, whose name I
forget,
> which was made by a division of StorageTek).
>
> Of course, the possibilities for goading the IDS into shunning
key
> pieces of Internet infrastructure (say, the gTLD servers) with
fake
> portscans from forged addresses would seem to be high. Not to
worry
> though, the Netranger implementation at least timed out
shunning an
> address after a configurable period of time, so by the time
you, the
> guy who runs the network, get around to taking a look at the
problem,
> it will have fixed itself... giving an opportunity for a BOFH
Moment (tm).

If I really wanted to set up a system that was doing automated
shuns, I'd likely stick it behind a firewall to cut down on the
potential for a false positive and at least preclude spoofed
internal addresses -- and in the case of the netranger I'd then
configure it to shun at a PIX instead of on a border router, with
the obvious advantage that I could use ssh for IDS-to-firewall
comms rather then blasting my ACL configs across the wire
cleartext. This does increase the complexity of the installation
since I still want some data on the footprinting and enumeration
activities that preceded the actual attack, which would either
require another IDS outside the 'wall or some integration with my
firewall logs.

However, this leaves me in an operational bind -- if I dial down
the shunning process so it only responds to non-spoofable
high-risk signatures, like buffer overflows, I'm still in a
situation where someone needs to respond to other alerts
manually. If I've got the shuns set to time out, someone needs
to do a threat assessment on what caused the shun in the first
place and determine what long-term actions need to be taken. I
really can't come up with a scenario where the shun happens and I
can just leave it alone ... so since everything at or above my
reporting threshold, shunned or not, requires some sort of manual
intervention, I just don't see the value in shunning anything
automatically.

Cheers.

-travis

ps -- yes, getting someone to shun the gTLDs would provide much
more instant gratification ...

>
> ---Rob



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:08 EDT