Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/30/2007
07:55 AM
50%
50%

Outer Limits of IPS

Anomaly- and rules-based protections are nice, but they have their limitations

5:55 PM -- When traffic spikes, are you actually under attack? Will deployed intrusion prevention hardware start blocking traffic to your site? Is it safe to block that traffic -- especially automatically?

These are the questions you should be asking yourself if you are going to deploy an intrusion prevention system (IPS).

Several years ago Richard Stiennon -- then still with Gartner -- told the world that the intrusion detection system (IDS) was dead. He was talking about the fact that companies don't recoup their costs by deploying something that simply monitors that they are under attack. Rather, he argued, they should instead invest in a smarter solution that actually does something to prevent the attack, like -- an intrusion prevention system (IPS) or hardware to combat distributed denial-of-service (DDOS) attacks.

IPSes are typically no more than glorified rules engines tied in with a firewall. There are different versions; some that send packets to kill the connection (like the great firewall of China that protects the entire country from bad words, like the phrase that's a form of Tai Chi with religious implications). Others simply drop the packets. In the end, the intended effect is the same: The connection with the malicious traffic is disrupted. But is that what you really want? What is triggering these rules?

There are two types of detection, anomaly- and rules-based. Rules-based says that the malicious traffic must perform a particular function that matches what's on the rules engine in order to be blocked. Anomaly is based on the premise that traffic patterns tend to follow a particular pattern. If traffic ever spikes above normal it's an anomaly and it should be stopped.

But here's how each type of detection can easily fail. In the case of the great firewall of China, they send packets in each direction to shut down the connection if they find a bad word. But if someone were to try and encode even vaguely the bad word by reversing the text, using pig latin, or any of a thousand other techniques, then the rules engine would not fire. There are other problems with China's method, in that if you simply ignore the packets they send to shut down the connection, you can continue to route packets. A flawed solution, indeed.

Anomaly detections only detect when an action is performed that should not happen. In the case of a cross-site request forgery, it is trivial to get a valid user to perform an action which then shuts down that connection for that user (not the attacker). If the attacker can get a search engine to follow a link to a function that it should not attempt to go to, your IPS could actually end up blocking the search engines from spidering your site, which hurts your ability to get traffic to your company. This same problem exists for rules engines as well.

However, there is another issue with anomaly detection. Let's pretend you are Victoria's Secret. All year long your traffic is a low rumble. But once a year your traffic spikes so high that any anti-DDOS engine could not ignore it. Do you really want to prevent millions of viewers from watching your online fashion show?

It looks and smells like a denial-of-service attack, but yet it is one of the critical parts of doing business. Granted DDOS and IPSes are trying to solve two different issues, but this is a good explanation of how anomaly detection can create huge false positives.

While both anomaly detection and rules engines have their own unique issues, both have their uses. I wouldn't recommend ditching your IPS dreams of a safe future. But don't hold your breath. The technology has a long way to go before it is capable of that subtle balance between security and invasiveness.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.