mht@CLARK.NET writes:
> Not quite. NFR has the same type of issues as their competitors do. None
> of the current IDS applications are capable of handling a large amount of
> packets (i.e. 1,000,000 jolt2 attacks).
Using Netfilter (under Linux), would avoid many IDS to duplicate
kernel work :
for exemple it would avoid defragmenting IP packet.
Actually, the only problem with Netfilter is that it
automatically discard promiscuous received packet,
which is bad for whole network based IDS.
To quote the Netfilter hacking howto :
<snip>
On the left is where packets come in: having passed the simple sanity
checks (i.e., not truncated, IP checksum OK, not a promiscuous receive),
they are passed to the netfilter framework's NF_IP_PRE_ROUTING [1] hook.
</snip>
If Netfilter hook could be a little bit more fine grained (for exemple
implementing a hook in order to get packet promiscuous received),
could be a big advantage for things like network IDS...
If that is done, network IDS will only have to defragment promiscuous
received fragmented packet, which would be a big gain.
Anyway, your IDS is also limited to the way your operating system
handle packet... if it is vulnerable to an attack like jolt2, your
IDS will also suffer of it.
Ps : i've CC'd this message to lkml & Rusty because i thought
netfilter kernel hacker could comment on the subject.
-- -- Yoann http://www.mandrakesoft.com/~yoann/ It is well known that M$ product don't make a free() after a malloc(), the unix community wish them good luck for their future development.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:19 EST