June 27th, 2003, 04:25 PM
You should really really really really avoid making your IDS active. There are two main ways that an IDS will 'stop' 'bad' activity. 1) It will send a spoofed RST in both directions to cause the connection between the attacker and the victim to drop and 2) Some IDS and firewalls use the OPSEC standard for communication between them. An IDS event can trigger a block being added to the firewall.
Currently I DO have an IDS that CAN control and shut down ports being attacked on vendor specific routers and firewalls. But I don't trust it to stop attacks against ports that are already open, at least in real time.
Now, on to why, at least IMHO, both are BAD.
1.1) Amplification of heavy traffic. This actually happened to us. When unicode directory traversal was first announced as a vulnerability on IIS web servers, a quicky solution to stopping someone from performing the attack was to have it send the resets to drop the connection. This worked fine....until nimda hit. We were getting well over 1 million hits a day
for nimda and while our network would have dragged along with the initial traffic, the throwing out of resets in both directions provided an amplification factor for each packet of 3 (one packet in generates 2 packets out), and this ground our network to a halt until we could get the RST feature turned off.
1.2) Sending RESET's will only work with a stateful protocol like TCP. It won't work for UDP.
1.3) Sending RESET's may not stop a quick attack. I.e, if you can get the attack into one packet, by the time it is processed by the IDS and the RST makes it to both sides, the attack may have already run and completed and been successful.
2.1) False Positives. One of the biggest problems with both major types of IDS software (anamoly based and signature based) are false positives (events that are triggered but shouldn't have been). If you have your IDS setup to push blocks to your firewall, you could start blocking things that weren't really attacks...
2.2) Spoofing. If I know you are doing this and I don't like you, all I have to do is start sending your IDS spoofed packets claiming to originate with say, microsoft.com. I don't care if the session is established, the attack successful or anything else, that wasn't the goal. The goal was to trick your IDS into DoS'ng you...
IMHO, an IDS should always remain strictly passive. If you are interested in doing content filtering, you should be using devices that were meant to do such things, like firewalls (checkpoint can do this some), routers (through QoS), or through proxy/caching servers (many proxy servers can also filter on content).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)