From: DWreck (dwr3ckmailbox-pentest@yahoo.com)
Date: Tue Jan 04 2005 - 14:10:37 EST
Interesting.
Most IPS admins do not block port scans. The data is
fed to a SIM to keep a "low priority" eye on who may
or may not be profiling you.
Most people using IPS's have them tuned to block nachi
type protocol anomalies etc.
Interesting DOS scenario though.
--- robert@dyadsecurity.com wrote:
> Sugiowono(sugiowono@datacomm.co.id)@Wed, Dec 22,
> 2004 at 10:42:53AM
> > So how to or what is the step to pass through
> those security devices ?
> > What is the great tools to pass through the FW and
> IPS?
>
> Let me clear up the context for this response before
> all of the
> traditional "Give me $50 and I'll punch you in the
> face" style
> penetration testers respond. In most engagements,
> we perform our
> testing with as much customer interaction as
> possible.
>
> The conversation we have with our customers when it
> comes to the IPS and
> port scanning issues is this: While IPS's can detect
> port scans and
> disallow access to the IP seeming to performing the
> scan, they can not
> determine the difference bettween a real IP and a
> spoofed IP. When you
> disallow access based on a perception of bad
> behavior, you are
> essentially adding rules that the attacker has
> control over.
>
> In our next version of unicornscan, for example, it
> will be possible to
> target a particular network range to come from. If
> you know your
> customer works primarily with a particular remote
> network, a simple
> 'unicornscan -sr:remote_range/24 customer_range/24:a
> -mT -r500 -R20'
> could effectively make an IPS disallow entry for
> every IP in the
> remote_range/24 network. A wise man once said "When
> you let bad people
> write your rules for you, bad things can happen".
>
> In the direct act of malice situation, attackers
> have an unlimited
> amount of time. They also have an unlimited amount
> of resources (IP
> addresses/machines/bandwidth) because there are
> countless machines they
> can compromise first, and then attack you from. No
> IPS will stop the
> determined attacker from collecting available
> services information over
> time.
>
> New tools also allow for custom packet payloads,
> including exploit
> payloads. In these automated attacks, the attacker
> will attempt to
> compromise any machine that is available. They will
> not port scan you
> first. They will not check for the banner. In this
> situtation, most
> IPS's will also not help you.
>
> That said, we will go through the IDS testing
> section of the OSSTMM.
> This allows us to map and measure the capabilities
> of the IDS. We will
> attempt to measure what triggers a block, and for
> how long the block
> lasts. As soon as we are done mapping and measuring
> the IDS, we ask to
> be whitelisted for the duration of the test. As I
> stated before,
> attackers have an unlimited amount of time and
> resources. Security
> testers do not =). Also if the IPS triggers blocks
> on payloads from
> spoofed hosts, it gets written up as a potential DoS
> in the report.
>
> For firewall testing, it is advisable to use a tool
> on both sides of the
> firewall. One for sending a wide variety of
> packets, one for catching
> the packets. Based on knowing what you sent, and
> what got through, you
> will will have a very accurate picture of where the
> FW device is falling
> short.
>
> Robert
>
> --
> Robert E. Lee
> CTO, Dyad Security, Inc.
> W - http://www.dyadsecurity.com
> E - robert@dyadsecurity.com
> M - (949) 394-2033
>
=====
Thanks,
DWreck
CONFIDENTIALITY NOTICE: This e-mail and any
attachments thereto may
contain information which is privileged and
confidential, and is intended
for the sole use of the recipient(s) named above. Any
use of the
information contained herein (including, but not
limited to, total or partial
reproduction, communication or distribution in any
form) by persons
other than the designated recipient(s) is strictly
prohibited. If you have
received this e-mail in error, please notify the
sender either by
telephone or by e-mail and delete the material from
any computer. Thank you
for your cooperation.
=====
Thanks,
DWreck
CONFIDENTIALITY NOTICE: This e-mail and any attachments thereto may contain information which is privileged and confidential, and is intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is strictly prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT