Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Comcast using IPS to protect the Internet f rom their home user clients?
From: Richard Compton <lazzy_8 () yahoo com>
Date: Wed, 10 Mar 2004 15:30:39 -0800 (PST)


They are beta testing the TippingPoint IPS.

-----Original Message-----

From: full-disclosure-admin () lists netsys com

[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Frank Knobbe

Sent: Wednesday, March 10, 2004 12:53 PM

To: Chmielarski TOM-ATC090

Cc: full-disclosure () lists netsys com

Subject: RE: [Full-disclosure] Comcast using IPS to protect the Internet

f rom their home user clients?

 

On Wed, 2004-03-10 at 07:46, Chmielarski TOM-ATC090 wrote:

Yes, they say they are now doing this.

http://www.infoworld.com/article/04/03/09/HNcomcastspam_1.html

But this article says they are shutting systems down once identified as

a spam/hack/dos zombie. This can be done easily by reconfiguring the

Cable modem or removing MAC addresses from filter/pass tables (don't

know what types of access controls are in place over there).

It doesn't say they are using an inline IDS/IPS. Where would those IPS's

be? At the major NAPs or peering points? Or distributed in regional

hubs? I'm curious how they are dealing with the performance impact.

Perhaps they are using ASIC based IPS's, or very limited signature sets

(which would explain why a whisker scan completes unimpeded, but a nikto

scans hangs at the same "spot").

So far, a couple others reported that they noticed the same behavior. I

haven't heard anyone say "my scans are not affected". To reproduce the

test, fire off a nikto scan against a remote web server (remember, get

permission first). See if nikto completes without getting stuck. (I used

a recent nikto from the FBSD ports tree).

Anyhow, finding spam sources and bandwidth hogs and turning them off

manually is one thing. Having an network-based intrusion prevention

system sitting in their wires is another. Perhaps they are beta testing

that as an additional method to weed out bad traffic?

Regards,

Frank

 

PS: I'm completely okay with them filtering as long as they allow me to

tunnel my traffic to corporate servers. Whatever it takes to get rid of

spam is fine with me... 



---------------------------------
Do you Yahoo!?
Yahoo! Search - Find what youÂ’re looking for faster.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault