protecting against zero day attacks
Results 1 to 9 of 9

Thread: protecting against zero day attacks

  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    77

    protecting against zero day attacks

    hi
    can an IPS protect against zero day attacks?
    what are some of the tools out there that can protect against 0 day attacks?
    thanks

  2. #2
    Member
    Join Date
    Sep 2005
    Posts
    77
    "Zero-day" attacks that take advantage of software vulnerabilities for which there are no available fixes
    With that in mind, and presumably you run a network of any size, you would obviously want to limit any exposure to potential sources of the attack. While none of these are fool proof, they may cut down the possibility of exposure which is better than nothing. A few ideas:
    *Firewalls with stateful packet inspection to help block external scan attempts
    *Devices with URL/Content filtering to cut out navigation to potentially malicious sites which may host malicious files....put there either by the site having been compromised or by shady moderators/admins
    *IDS with Anomaly Detection. While this might not stop a zero day attack from happening, it may quickly identify an infected/compromised machine.
    What is Anomaly Detection?

    Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous.
    Anomoly detection takes quite a bit more work in configuring the said legit "activity profile" but its advantage over regular IDS is that its not always looking for specific signatures.
    These are just a few ideas, am sure the forum can come up with some more.
    %42%75%75%75%75%72%70%21%00

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Eyecre8
    "Zero-day" attacks that take advantage of software vulnerabilities for which there are no available fixes
    It's even worse..

    "Zero-day" attacks are attacks that take advantage of previously unknown software vulnerabilities. Because noone was aware (except the attackers) that there was a bug in the first place it also means no fixes and no signatures..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    101
    I find watching bugtraq helps alot. It wont really help you prevent 0days but it will help you keep on top of the big up and comming attacks that are out there. Most of the attacks you will see as an admin of a network wont be 0day. They will be attacks that were known for about a week or so and the skiddies have had time to write easy to use tools to exploit. Also I on my own network see alot of older attacks comming in (as compared to attacks that are only a few days old). I believe this is mainly skiddies using old tools to try and snatch up some of the unpatched systems out there.
    chown -r us ./bases

  5. #5
    Junior Member
    Join Date
    Jan 2006
    Posts
    25
    intrusion tolerant systems are the most successful method of dealing with zero-day attacks. the resources required for them are only justified in high risk environments.

    a simple example of an intrusion tolerant system in this case a web server would be:

    internet
    level 1: firewall
    level 2: ballot box
    level 3
    l3 system 1: windows + iis + asp
    l3 system 2: linux + apache + php
    l3 system 3: solaris + zeus + jsp
    level 4: incident response system

    each system has been developed in a black box manner so that equal inputs result in equal outputs.

    when a request is made by the client the ballot box polls each of the three systems.

    if the request is valid the ballot box will have three identical responses which is then forwarded to the client.

    if the request contained an exploit it is unlikely to cause an exception in more than one of the systems. in this case the vulnerable system will be outvoted by the other two. the client is provided the response and the incident response system is activated.

    the incident response system may automatically restore the compromised system and append a new rule to the firewall. recent insights into the calculation of unknown vulnerabilities related to metamorphic and polymorphic exploits could enable future incident response system to proactively defend against future related zero-day vulnerabilities as well.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    From experience: From outside to in, about 90% of the attacks are caused by viruses/worms. 9.99% are scriptkiddies and only 0.01% is trully worrisome. And you probably won't even detect that 0.01%... It get's lost in all the noise or they're so sophisticated none of your detection tools will detect it.. The only thing preventing total collapse is a layered security approach.. The more layers the better..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Also keep in mind that your IPS can be used in an attack on your network and block all your legitimate users.

    MS, that intrusion tolerant design sounds nice in theory, never seen it in practice, even in large FS instituions, I`m guessing it would be cost prohibitve for a number of reasons.
    Quis custodiet ipsos custodes

  8. #8
    Member
    Join Date
    Jun 2004
    Posts
    77
    Also keep in mind that your IPS can be used in an attack on your network and block all your legitimate users.
    hi
    am curious, how can an IPS be used to attack and block all legit users in a network? any examples, thanks.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    An IPS is basicly an active IDS. Active being it's able to kill connections when an alert gets triggered. And we al know IDS's generate false positives. What if someone triggers alerts but spoofs his address? Then the IPS will happely kill those spoofed addresses. What if those spoofed addresses belong to your customers? You do the math
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •