Home page logo

pen-test logo Penetration Testing mailing list archives

Re: AppScan and IDS evasion
From: TH <fsbo () haverkos com>
Date: Fri, 27 Jun 2008 16:53:37 -0500

Chroot <chrooted () gmail com> writes:

Isn't this a vulnerability in itself that your client blocks an IP
address. This could result in a DoS attack if you can spoof source IP
address. In my book IPS should block the attack not the source. Source
can be spoofed.

I agree--IDS's that lock out entire IP's based on attack signature
triggering are quite brain dead, and can be weaponized against their
owners.  I'm not an IPS expert, but I would certainly have clients
avoid ones that behave as the OP described.  Good IDS's block only the
troublesome packets/streams of traffic itself rather than wholesale
lockouts based on IP.

For instance, what if an attacker with nice network connectivity such
that they can spoof packets without any filtering, and then they run
snot or sneeze, or whatever the IDS/IPS triggering tool of chioce
is...while spoofing traffic as though its coming from...

$ for i in a b c d e f g h i j k l m ; do  dig +short $i.root-servers.net; done

If suddenly the target network's IPS locked out any traffic (including
solicited responses) from any of those addresses....

Name resolution for that entire network would cease to work all that
well.  Those servers are the 13 DNS root nameservers. 

Happily, there are better IPS's out there.  

This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]