RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)

On Mon, 2002-12-16 at 13:46, Dudley, Brian (ISS Chicago) wrote: > A scan is launched at a web server farm by a hacker or a worm, ActiveScout replies with bogus information about web servers that do not exist. Then the hacker or automated worm takes this information and tries to launch an attack at these bogus hosts, and immediately ActiveScout blocks the attackers IP. It knows that nobody should send a request to an IP that does not exist. So it doesn't matter if you are from the original scanning IP address or a separate address. The only thing that matters is you are trying to attack a host that does not exist. Now if you get lucky and launch an attack from a separate IP at a valid server IP then your traditional IDS should catch it, however automated attacks take scan info and launch at all IP's and therefore worms like slapper or Code Red should be automatically blocked. This product is a supplement to regular IDS/IPS which will detect and block single host attacks with no pre-attack probe. The beauty is that it blocks un-known automated attacks like Code Red, Nimda, Slapper, etc... Remember Defense in Depth... There is no silver bullet...

Brian,

thanks, that's the only scenario I could come up with as well, which unfortunately requires a large pool of available IPs for fake hosts. A smaller subnet, say a /28 with 10 web servers doesn't seem to benefit from it very much.

At the same time, one might want to just block anyone that hits an unused IP address. I fail to see where the correlation comes in with a shine.

> Having said that, a problem I see is if the attacker knows you are using this technology and spoofs the source address of one of your business partners, DNS server, etc. in a packet destined to a bogus ActiveScout IP, which could potentially DOS your network. This may be mitigated if ActiveScout ensures that a full TCP session is established before blocking the offending IP.

There are always risks with any automated response (I personally prefer a silent drop over a TCP reset). Those risks can be minimized, but I don't want to get into those arguments anymore (they are probably in the archives when you search for SnortSam and such... ;)

To reword (and translate) what Oded said, using your explanation:

|The technology has several interesting attributes. To name a few:
|
|- It is independent of the payload of the attack. This enables

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Of course it doesn't care about the payload. It just triggers on any type of packet to unused IP's. No need to inspect the packet payload. (Also no need to provide a bogus banner....hmmm....)

|- It is not sensitive to whether the attack comes from the same source

Again, any source accessing unused IP's could be punished. I fail to understand the purpose of this sentence given Brian's explanations.

|- The detection is extremely accurate, allowing for automatic blocking

Of course, if you only trigger on used IP's...

|- It is not dependent on the actual probing technique (e.g. simple TCP

Again, any packet to an used IP's can trigger an action, nothing fancy here either.

|- Attacks are detected at an extremely early stage, when the payload

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Does 'extremely early stage' translate to 'before tcp 3-way is established? Of course, the syn to an unused IP is enough, no need to complete a handshake...

The "we'll present fake hosts and block anyone accessing those" explanation is sooo much more down to earth than the advertised version. Sounds like the 'markers' are just fake services represented through fake banners on ports of unused IP's. I'm not sure what else could be used to "bait'n'track" an attacker, perhaps a fake FTP site with a fake user account list? If the markers extend beyond just fake banners, then I remain interested. Otherwise I just continue to block sources that access unused IP addresses since it seems to have the same result.

This is all provided that Brian's explanation of the product is accurate. If that's the case, then this is great example on how carefully crafted advertising language can make a product appear to be something larger than it is. Should Brian's explanation not be accurate, I encourage Forescout to provide further details.

Otherwise I'll file it under 'Deceptive Marketing' in the Doghouse....

Regards,
Frank