Go with the flow

We deployed four rate-limiting intrusion-prevention system products on our live, three-site network. Those products were Captus IPS 4100 from Captus Networks, Sleuth9 from DeepNines Technologies, Attack Mitigator IPS from Top Layer Networks and NetProtect LG100 from Vsecure Technologies.

Our criteria for testing these products followed the requirements of any network professional using one:

•  How does the product let you define what traffic to control and set the limits?

•  How can you define policy on the IPS regarding what it should do when limits are exceeded? How well does it execute that policy?

•  What does it offer in terms of tuning and discovery tools?

•  What does it offer by way of management wares?

•  Are there content-based IPS or basic firewalling included?

Attack Mitigator IPS quickly moved to the top of the heap because of its comprehensive tools for managing multiple kinds of distributed denial-of-service (DoS) attacks.

Identifying the bad guys

Rate-based IPS devices must provide detailed control of traffic flow. Tuning the IPS means telling it which traffic to look at and what the limits are on that traffic. We discovered wide variation in product capabilities and in how much you must know about your network to use them.

All four products let you define what applications and servers you want to protect, usually by identifying a combination of source and destination IP addresses, along with source and destination port and protocol. In most cases, either the source or destination address will be a wildcard (indicating "the Internet"). For example, you might limit queries to your DNS server to 1,000 per second. Simple rules covering bandwidth and connection limiting (often called SYN flood protection) are something you can do in any rate-based IPS.

In terms of providing sophisticated rate controls, Attack Mitigator IPS maintains knowledge of connection state for traffic flowing through it. While other products can detect floods of traffic or connection requests, Attack Mitigator can tell whether connections are being built up slowly on a protected server. That intrusion technique, common in DoS attacks, could slip by the other products.

A similar, but not as powerful, feature is in NetProtect LG100. You can define a connection flood protection for a service on a particular system, but you can't say how many connections that service can support. You have to pick one of four values for "sensitivity": minor, low, medium or high. Neither Vsecure's GUI nor its documentation gave sufficient meaning to what those values are. NetProtect detects idle connections building up from a single source, but not more sophisticated attacks that slowly keep sending small bits of data or are distributed across a large number of systems.

Other types of limiting technologies these products offer might be useful in environments where the traffic mix and parameters are known. For example, Captus lets you make decisions based on average packet size, while Vsecure detects the mix of protocols (TCP vs. User Datagram Protocol [UDP] vs. Internet Control Messaging Protocol) and can shut things down if the mix doesn't fit within your parameters. That's an interesting idea, but gathering the data to apply these controls is a difficult exercise.

We ran into design issues with some of these products. The most severe was in Sleuth9's adaptive filtering feature called "spike protection." DeepNines engineers could not tell us exactly what the algorithm for spike protection is but did say that it limits traffic automatically whenever a system's load exceeds historical levels. So if you have a back-up server that kicks in every night, the Sleuth9 could start dropping packets. Worse, you can't tune or disable that feature.

Once an IPS identifies that reconnaissance activity or an attack is happening, the bigger question is: What are you going to do about it? For certain kinds of attacks, such as a port scan or a Code Red worm, the obvious answer is drop those packets. When you get into rate-based IPS, the options get more complex, and the issues at hand, more subtle.

The IPS 4000 offered the most sophisticated set of reaction options. You could identify an overload on an FTP server, for example, and initially start throttling traffic for a minute. If the overload continued, you could cut off access from the client overloading the server. If things went on for several minutes, you could send an alert. In all, Captus gives you four responses to bad traffic: send an alert, limit traffic levels, drop traffic entirely and reroute traffic.

NetProtect and Sleuth9 offer the ability to block or limit traffic, but Top Layer adds a third option: connection proxying. This lets the Attack Mitigator protect systems before they are overwhelmed. In addition to limiting the number of connections, you can set thresholds for incomplete TCP connections that indicate suspicious behavior. Once these limits are surpassed, new connections will be proxied by the Attack Mitigator. If the connection completes, then Attack Mitigator passes the connection to the actual server. If things get worse, Attack Mitigator will start blocking all connections from malicious attackers.