Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 02 > 120118.html (Request Expert securityfocus.com Support)

RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

From: Karl Lynn <klynn(at)stackheap.org>
Date: Mon Dec 16 2002 - 11:12:46 EST


Actually, I wasn't talking about a worm and im not talking about an automated scan that goes out and sweeps an IP range. For instance, I hit www.somecompanyhere.com and through some digging like oh lets say I hit netcraft or hit port 80 to see what type of banner im getting then run the attack from a second network will ActiveScout block the attack or not? Another words, does the appliance need to see that bogus information or "mark" to block the attack or can I run exploits against a known host until I turn blue in the face? Its one thing for "non public" servers but what about web servers or any other server on the DMZ?

-Karl

On Mon, 16 Dec 2002, Dudley, Brian (ISS Chicago) wrote:

> A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web servers that do not exist. Then the hacker or automated worm takes this information and tries to launch an attack at these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request to an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate address. The only thing that matters is you are trying to attack a host that does not exist. Now if you get lucky and launch an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however automated attacks take scan info and launch at all IP's and therefore worms like slapper or Code Red should be automatically blocked. This product is a supplement to regular IDS/IPS which will detect and block single host attacks with no pre-attack probe. The beauty is that it blocks un-known automated attacks like Code Red,
Nimda, Slapper, etc... Remember Defense in Depth... There is no silver bullet...
>
> Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source address of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which could potentially DOS your network. This may be mitigated if ActiveScout ensures that a full TCP session is established before blocking the offending IP.
Received on Mon Dec 16 16:17:08 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library