Skip to content

Commit 49283a5

Browse files
llpetersonllpeterson
committed
smooth DoS/IPS edges
1 parent c4043f0 commit 49283a5

File tree

2 files changed

+30
-32
lines changed

2 files changed

+30
-32
lines changed

firewall.rst

Lines changed: 13 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -582,20 +582,17 @@ and authorization” although it's less memorable.
582582
<https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf>`__.
583583
;login:, Usenix, 2014.
584584

585-
9.5 Security Appliances
586-
------------------------------
585+
9.5. Intrusion Detection and Prevention
586+
--------------------------------------------
587587

588588
As introduced at the beginning of this chapter, *security appliances*
589589
are a generalization of firewalls. Such appliances are placed
590590
throughout the network, watching for and responding to unwanted
591591
traffic. The main challenge they face is how to distinguish between
592-
good and bad traffic. This section looks at two examples.
592+
good and bad traffic. This section looks at two examples: an
593+
*intrusion detection systems* (IDS), and its sibling *intrusion
594+
prevention systems* (IPS).
593595

594-
9.5.1 Intrusion Detection and Prevention
595-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
596-
597-
A common example of a security appliance is an *intrusion detection
598-
system* (IDS), or its sibling *intrusion prevention system* (IPS).
599596
These systems look for anomalous activity, such as an unusually
600597
large amount of traffic targeting a particular port number, which
601598
often signals a malicious attempt to probe for a vulnerability. When
@@ -625,14 +622,6 @@ important. That leads to the same concerns about east-west traffic
625622
that we discussed above, and thus there are also distributed versions
626623
of these systems.
627624

628-
For an IDS/IPS that uses packet signatures to be effective, the set of
629-
potential attacks need to have been spotted in the wild and analyzed
630-
so that suitable rules can be formulated. Sharing rules among a
631-
community of users helps to speed up this process, and commercial
632-
IDS/IPS systems typically come with a subscription to a
633-
frequently-updated rules database. (See the Snort website referenced
634-
above for an example set of community rules.)
635-
636625
.. sidebar:: Identifying Unwanted Traffic
637626

638627
*Our overview of security appliances could lead to the conclusion
@@ -656,6 +645,14 @@ above for an example set of community rules.)
656645
a human, and not an AI bot
657646
trying to scrape their content, is at other end of every HTTP request.*
658647

648+
For an IDS/IPS that uses packet signatures to be effective, the set of
649+
potential attacks need to have been spotted in the wild and analyzed
650+
so that suitable rules can be formulated. Sharing rules among a
651+
community of users helps to speed up this process, and commercial
652+
IDS/IPS systems typically come with a subscription to a
653+
frequently-updated rules database. (See the Snort website referenced
654+
above for an example set of community rules.)
655+
659656
Another approach to using signatures is to look for
660657
*anomalies*—patterns in the behavior of traffic that somehow stand out
661658
from "normal" and can be categorized as a potential attack. Clearly

infra.rst

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -970,7 +970,7 @@ for the target function.
970970

971971
In much of this book we have focused on attacks against the
972972
confidentiality or integrity of information, but we also need to
973-
concern ourselves with availability of both the end systems (such as
973+
concern ourselves with availability. This is true for both end systems (such as
974974
web sites) and the infrastructure of the network itself. Commonly
975975
known as *Denial of Service (DoS)* attacks, such attacks typically
976976
involve an adversary trying to overwhelm "good" resources (link
@@ -1007,17 +1007,17 @@ servers—content remains available. This notion of *aggregate* capacity
10071007
generalizes beyond web servers responding to HTTP GET requests. A
10081008
network is itself a distributed collection of forwarding and
10091009
transmission resources, engineered to distribute those resources in a
1010-
way that avoids vulnerable bottlenecks. The DNS, for example, is
1011-
itself a highly distributed system designed to avoid single points of
1010+
way that avoids vulnerable bottlenecks. The DNS illustrates this perfectly:
1011+
it is a highly distributed system designed to avoid single points of
10121012
failure with redundancy at all levels of the hierarchy.
10131013

10141014
The second countermeasure is to filter malicious traffic as early
10151015
(close to the source) as possible. If a DoS attack comes from a single
10161016
source, then it is easy to "block" traffic from that source at an
10171017
ingress to a network you control. This is why DoS attacks are
10181018
typically distributed. Dropping (or rate limiting) attack packets at
1019-
the boundary router (or firewall) for an enterprise or service
1020-
provider is better than allowing those packets to flood the core of
1019+
the boundary router for a service provider (or at a firewall for an enterprise)
1020+
is better than allowing those packets to flood the core of
10211021
the network and reach a victim server(s), but the more widely
10221022
distributed the periphery of your network, the earlier you can filter
10231023
malicious packets. And drawing on the first countermeasure, the more
@@ -1051,22 +1051,23 @@ Another well-known example is a "SYN Flood" targeting TCP, whereby an
10511051
attacker floods a server with SYN requests without any intent to
10521052
complete the TCP handshake and actually establish a connection. This
10531053
overloads TCP's connection table, potentially denying connections to
1054-
legitimate clients. An IDS/IPS can help protect servers since a flood
1055-
of SYN packets is anomalous behavior, but individual servers can also
1056-
limit the impact by encoding connection state in the sequence number
1057-
included in the SYN+ACK they send back to the client—a "SYN cookie" of
1058-
sorts—and then allocate connection state locally only after the client
1059-
goes to the trouble of correctly ACK'ing that packet. This is a
1060-
variant of the first countermeasure in that it forces the attacker to
1061-
use additional resources.
1054+
legitimate clients. An Intrusion Detection System (see the next
1055+
chapter) can help protect servers since a flood of SYN packets is
1056+
anomalous behavior, but individual servers can also limit the impact
1057+
by encoding connection state in the sequence number included in the
1058+
SYN+ACK they send back to the client—a "SYN cookie" of sorts—and then
1059+
allocate connection state locally only after the client goes to the
1060+
trouble of correctly ACK'ing that packet. This is a variant of the
1061+
first countermeasure in that it forces the attacker to use additional
1062+
resources.
10621063

10631064
These examples are just a few of many illustrating the need to program
10641065
defensively. This is especially true for protocols since they are
10651066
purposely designed to process messages from remote sources, exposing
10661067
them to attempts to crash, hack, or as in the case of DoS attacks,
1067-
simply consume the system. This topic ventures outside the scope of
1068-
the book, but the following reference explores one approach to
1069-
addressing the challenge.
1068+
simply consume the system. Defensive programming ventures outside the
1069+
scope of this book, but the referenced OSDI paper is an example of one
1070+
approach.
10701071

10711072
.. admonition:: Further Reading
10721073

0 commit comments

Comments
 (0)