Checkpoint IPS

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6 Feb 2015, at 20:08, Ray Soucy wrote:

> An IDS tied into an internal RTBH setup to leverage uRPF filtering in
> hardware can be pretty effective at detecting and blocking the typical
> UDP attacks out there before they reach systems that don't handle that
> as gracefully (e.g. firewalls or host systems).

Using flow telemetry for this scales much, much better.  One could 
easily set something like this up using open source flow telemetry 
collection/analysis tools.

Of course, giving attackers the ability to spoof the IP addresses of 
their choice and then induce your network infrastructure into blocking 
said IP addresses isn't necessarily optimal, IMHO.  I'm not a big fan of 
any kind of auto-mitigation for this reason - it's best to have a human 
operator in the loop.

If one is determined to do this kind of auto-mitigation, it's probably a 
good idea to whitelist certain things which ought never to be S/RTBHed 
via appropriate route filtering on the trigger and/or edge devices where 
traffic will be dropped.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

• Previous message (by thread): Checkpoint IPS
• Next message (by thread): Checkpoint IPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]