protecting against zero day attacks

[ghostmachine]

hi
can an IPS protect against zero day attacks?
what are some of the tools out there that can protect against 0 day attacks?
thanks

[Eyecre8]

"Zero-day" attacks that take advantage of software vulnerabilities for which there are no available fixes

With that in mind, and presumably you run a network of any size, you would obviously want to limit any exposure to potential sources of the attack. While none of these are fool proof, they may cut down the possibility of exposure which is better than nothing. A few ideas:
*Firewalls with stateful packet inspection to help block external scan attempts
*Devices with URL/Content filtering to cut out navigation to potentially malicious sites which may host malicious files....put there either by the site having been compromised or by shady moderators/admins
*IDS with Anomaly Detection. While this might not stop a zero day attack from happening, it may quickly identify an infected/compromised machine.

What is Anomaly Detection?

Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous.

Anomoly detection takes quite a bit more work in configuring the said legit "activity profile" but its advantage over regular IDS is that its not always looking for specific signatures.
These are just a few ideas, am sure the forum can come up with some more.

[SirDice]

Originally posted here by Eyecre8
"Zero-day" attacks that take advantage of software vulnerabilities for which there are no available fixes

It's even worse..

"Zero-day" attacks are attacks that take advantage of previously unknown software vulnerabilities. Because noone was aware (except the attackers) that there was a bug in the first place it also means no fixes and no signatures..

[mnchur]

I find watching bugtraq helps alot. It wont really help you prevent 0days but it will help you keep on top of the big up and comming attacks that are out there. Most of the attacks you will see as an admin of a network wont be 0day. They will be attacks that were known for about a week or so and the skiddies have had time to write easy to use tools to exploit. Also I on my own network see alot of older attacks comming in (as compared to attacks that are only a few days old). I believe this is mainly skiddies using old tools to try and snatch up some of the unpatched systems out there.

[MS_Security]

intrusion tolerant systems are the most successful method of dealing with zero-day attacks. the resources required for them are only justified in high risk environments.

a simple example of an intrusion tolerant system in this case a web server would be:

internet
level 1: firewall
level 2: ballot box
level 3
l3 system 1: windows + iis + asp
l3 system 2: linux + apache + php
l3 system 3: solaris + zeus + jsp
level 4: incident response system

each system has been developed in a black box manner so that equal inputs result in equal outputs.

when a request is made by the client the ballot box polls each of the three systems.

if the request is valid the ballot box will have three identical responses which is then forwarded to the client.

if the request contained an exploit it is unlikely to cause an exception in more than one of the systems. in this case the vulnerable system will be outvoted by the other two. the client is provided the response and the incident response system is activated.

the incident response system may automatically restore the compromised system and append a new rule to the firewall. recent insights into the calculation of unknown vulnerabilities related to metamorphic and polymorphic exploits could enable future incident response system to proactively defend against future related zero-day vulnerabilities as well.

[SirDice]

From experience: From outside to in, about 90% of the attacks are caused by viruses/worms. 9.99% are scriptkiddies and only 0.01% is trully worrisome. And you probably won't even detect that 0.01%... It get's lost in all the noise or they're so sophisticated none of your detection tools will detect it.. The only thing preventing total collapse is a layered security approach.. The more layers the better..

[R0n1n]

Also keep in mind that your IPS can be used in an attack on your network and block all your legitimate users.

MS, that intrusion tolerant design sounds nice in theory, never seen it in practice, even in large FS instituions, I`m guessing it would be cost prohibitve for a number of reasons.

[ghostmachine]

Also keep in mind that your IPS can be used in an attack on your network and block all your legitimate users.

hi
am curious, how can an IPS be used to attack and block all legit users in a network? any examples, thanks.

[SirDice]

An IPS is basicly an active IDS. Active being it's able to kill connections when an alert gets triggered. And we al know IDS's generate false positives. What if someone triggers alerts but spoofs his address? Then the IPS will happely kill those spoofed addresses. What if those spoofed addresses belong to your customers? You do the math