2

I think every company uses the same process of blocking IP addresses that generate suspicious traffic as a way to mitigate attacks. However, that is a never ending process of chasing attackers instead of being one step ahead of attackers.

Are there any methods that go beyond just blocking the IP of suspicious traffic? Especially since any attacker worth anything will always be spoofing their IP.

For example, is there a way to: flag suspicious traffic, analyze the traffic, create a fingerprint of the traffic, develop a signature based on the fingerprint, and finally automate the process of preemptively suppress traffic that match the tainted signature.

Does that make sense? Please ask clarifying questions if it doesn't make sense.

PS: This is my first SE post so I hope everything is in order.

Sarwar
  • 21
  • 1
  • There are bunch of companies working in this space - network intrusion detection system is the thing to google here. – crovers Sep 22 '16 at 14:58
  • You've just described the basic functionality of Snort and/or Bro. – Ivan Sep 22 '16 at 15:34
  • "any attacker worth anything will always be spoofing their IP" In the case of low-level attacks on the TCP, ICMP, UDP or other protocols, this is true. For application attacks which require a successful two-way TCP connection (i.e. attacking a webserver, or sending SPAM), then attackers will rotate IPs, and perhaps also use Proxys (probably shouldn't block) or Open Relays. (probably ok to block) However, they will not be able to spoof IPs technically in that scenario. – 700 Software Sep 22 '16 at 16:59
  • Welcome to Security Stack Exchange! – 700 Software Sep 22 '16 at 16:59

1 Answers1

2

There are other alternatives, collective honeypots that generate lists of commons attackers is an alternative. I maintain a list built from the result of some honeypots (both public and private), and some production servers that I own.

There is a way to analyse everything on internet like a global ids system ? Yes, there is, but if you ever used an IDS/IPS system before, you would imagine how much false-positives would be generated and the amount of processing power needed to run it on a global scale.

You can focus on protecting your company, a good firewall, web application firewall, an IDS/IPS solution, good internal procedures, security policies, regular pentests, antivirus solutions, training the users so they don't open on everything that they receive via e-mail, and the list goes on, there are several things that you can do to help.

You can always do some proactive job, but imagine the scenario where the attacker, never attacked any other host before, so he won't be on any list, and his first attack is against your company. It's the concept of pre-crime, how did you know that he will attempt to do something and block it before ?

Don't ever expect that one solution will make you 100% secure, if you apply my list to your firewall, you will still vulnerable to the above scenario and several others. But usually hosts that are compromised, and became part of a botnet, will launch several kinds of attacks and scans. Keep that in mind when you try to block something.

OPSXCQ
  • 346
  • 1
  • 5
  • We currently have all the different methods you mentioned in place, but I'm trying to find (or develop) something that does tackle the concept of "pre-crime". Here's my ideal case: 1. Login session A does non-suspicious task AA. 2. Login session A does non-suspicious task AB. 3. Login session A does non-suspicious task AC. 4. Login session A does suspicious task AD. 5. Task AD will be picked up by firewall and the IP will be blocked. 6. A fingerprint will be established for AD. 7. From now on, whenever someone tries AA -> AB -> AC, IP will automatically be blocked because AD is anticipated. – Sarwar Sep 22 '16 at 16:04
  • @Sarwar Are you trying to enforce this at the network or application layers, or across both? Who defines what AD is and asserts that it is bad? – Ivan Sep 22 '16 at 18:46