[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Checkpoint IPS
On 6 Feb 2015, at 20:08, Ray Soucy wrote:
> An IDS tied into an internal RTBH setup to leverage uRPF filtering in
> hardware can be pretty effective at detecting and blocking the typical
> UDP attacks out there before they reach systems that don't handle that
> as gracefully (e.g. firewalls or host systems).
Using flow telemetry for this scales much, much better. One could
easily set something like this up using open source flow telemetry
collection/analysis tools.
Of course, giving attackers the ability to spoof the IP addresses of
their choice and then induce your network infrastructure into blocking
said IP addresses isn't necessarily optimal, IMHO. I'm not a big fan of
any kind of auto-mitigation for this reason - it's best to have a human
operator in the loop.
If one is determined to do this kind of auto-mitigation, it's probably a
good idea to whitelist certain things which ought never to be S/RTBHed
via appropriate route filtering on the trigger and/or edge devices where
traffic will be dropped.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>