Described in a post by ISC’s Rob VandenBrink is a new trend in Intrusion Detection Systems: IP blacklist score aggregation. In this approach, IP addresses (sometimes from multiple systems and networks) that exhibit questionable behavior (even sometimes innocuous behavior that may seem questionable to the algorithm) are rated and stored in a central database.

When new traffic is seen from the IP address (using simple bit by bit and header analysis) – the IDS queries the database, and scores the packet as malicious or not.

What this means essentially is: if you are a penetration tester, or conduct routine tests on your network, or even are simply a user who accesses a lot of admin pages (or uses poorly coded software) – you may be at risk for being blocked or limited by Intrusion Detection Systems, even if you need legitimate access to a network system! IP-based blacklisting is too rigid, and counterproductive if not implemented properly.

This is a strong case against simple rule-filter-table based detection systems, and a case for stronger, smarter detection algorithms and human involvement in network operations. What are you using to detect network anomalies and malicious network traffic?

Share This Article

Filed under:
Articles by wepman