IDS: Re: Active response... some thoughts.

[Scott Wimer <scottw () cylant com>]

Chris,

A local version of this is one of the available policy actions in our 
host based IPS product.  However, because this has the potential to be 
abused and turn an IPS into a denial of service product, we recommend 
against using blanket "drop all traffice from the offending IP" 
actions.  Just as effective but less risky is dropping all packets 
from that IP with the same remote and local port values (or if it's a 
TCP session, all packets for that session).
One downside to this approach is that it seems like it would be a bit 
difficult to implement remotely.  Mmm... actually, if you were to take 
the IP countermeasure code from KIP (http://kip.sf.net/) and just use 
the the IP stack hooking and countermeasure code building a router on 
top of FreeBSD or Linux that allowed this to be controlled remotely 
wouldn't be that difficult.  Interesting idea.  We might have to play 
around with that when we get some spare time -- probably in 2015. :(
Regards,
scottwimer

Chris Travers wrote:
> Hi--
>
> I had an additional idea relating to quasi-active response.  For example--
>
> An IDS could have hooks into a routers filtering tables in order to 
> temporarily ban that IP address.  This has the advantage of the RST in 
> that all inbound traffic from the attacker would be stopped, but would 
> create less traffic on the gateway than a RST would.  Additionally this 
> could also be used against connectionless protocols such as UDP and ICMP.
> It is more flexible, could be implimented on a timer to minimize the 
> damage of false alarms, etc.
> Best Wishes,
> Chris
--
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 850-4454                        Moscow, ID 83843
There is no Security without Control.