IPS Explained

Building on the previous post about our IPS (Intrusion Protection System), people are curious to know how the devices work and how they make decisions.free hosting no ads

We’ll start with a few random example attacks logged by one of our IPS devices:

06/25/2006 14:07:42 Gateway Anti-Virus Alert:
Netsky.P#fsg (Worm) blocked

06/25/2006 13:35:53 SYN flood attack dropped

06/25/2006 13:11:59 IPS Prevention Alert: EXPLOIT ASN.1
Remote Code Execution 2 (IIS),
SID: 2829, Priority: High

06/25/2006 05:15:03 IPS Prevention Alert: EXPLOIT
Invision Power Board <= 2.1.5
(from_contact) SQL Injection
Attack, SID: 3192, Priority: High

First lets explain the events listed above…

06/25/2006 14:07:42 Gateway Anti-Virus Alert:
Starting with the first entry we have a Netsky email worm attempting to enter our network via an infected email.

This Netsky worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.

06/25/2006 13:35:53 SYN flood attack dropped
Next we have a SYN flood type attack.

A SYN Flood is a denial of service attack in which TCP connection requests are sent faster than the system can process them. This causes the memory to fill up, forcing the new connections to be ignored. This detection triggers whenever a large number of SYN packets are seen in a short period of time.

06/25/2006 13:11:59 IPS Prevention Alert: EXPLOIT ASN.1
Next on the list we have an attempted Windows Server Exploit.

A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow.

An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

06/25/2006 05:15:03 IPS Prevention Alert: EXPLOIT
And last on the list we have an Invision Power Board forum exploit attempt.

Invision Power Board is vulnerable to a remote SQL injection attack. An exploit has been published, which allows an attacker to extract a password hash from the forum’s data base of any registered user. An attacker may then unset his cookies used by the forum – and pass the obtained hash and corresponding target User ID, authenticating himself to the server as an arbitrary user.

Intrusion Protection Systems are in place to continuously look at the data stream coming into our network, they are pre-programmed and updated “on the fly” to detect signatures of known exploits and either warn or block them based on a predefined threat level. When a remote device creates a malicious attempt on our network, the traffic has to pass through an IPS device. As the traffic goes into the IPS it rapidly scans the data stream, and makes the decision to block or allow the traffic based on its database of malicious signatures. If the data is found to be malicious it is blocked and logged before it reaches the server.

While we cannot disclose the total amount of malicious items we scan for, we can however state that we have well over 20,000 malicious signatures in our IPS databases. Those signatures include server/software exploits, email worms/viruses, and some forms of spyware. That number does not include the malicious signature databases used by our provider’s IPS devices.

The entire detection process takes place in real-time and shows no noticeable lag on the data connection to the server. All Sitestash hosting servers are protected by IPS systems, dedicated server and co-location customers have access to IPS/Firewall protected bandwidth by request.