[Snort-users] SHUN

ams67 ams67 at ...3655...
Mon Dec 2 15:03:02 EST 2002

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe at ...652...] 
Sent: Tuesday, 3 December 2002 11:43 a.m.
To: ams67
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] SHUN

On Mon, 2002-12-02 at 15:47, ams67 wrote:
> IMAO IDSs should not interfere with FWs. If I spoof my IP address with
> your current, e.g. DNS server and send a forged packet with an attack
> signature to your network protected by your IDS/FW integrated system I
> can create an easy DoS by stopping legal and operational traffic. 
> That is really easy to accomplish (e.g. nmap -D your.good.dns.server,
> your.good.external.router, etc..).

Basically true, but you can minimize the risk of those conditions.
SnortSam and Guardian for example have white-lists. Also, SnortSam can
detect DoS conditions and undo recent blocks and sit idle for a while.

Being able to DoS someone by spoofing DNS servers is becoming lame...
(no offense, but that argument has been beaten to death...)

Of course, white list can minimize the risk of DoS, but it also increase
the risk for not detecting an internal attack. Therefore, it is question
to choose which is less risky...
I personally prefer to leave job of detect network anomalies to an IDS,
the job to filter unwanted packet to a FW and the job to decide what is
right to stop to the skills of the security operator. The IDS
technologies are still in a early stage before I can totally rely on it.
I think now they are just good tools to 'help' to make decision.

No offence taken, however I mentioned DNS and external router as a
simple example. The fact it has been beaten to death does not change the
level of potential threat.


More information about the Snort-users mailing list