>> Target the IPS all you want but do it with real payloads, BS known >> unsuccessful payloads are trivially post processed and thus entirely >> ineffective. You should use real payloads or achieve evasion so you at >> least force wetware analysis and/or endpoint intelligence. > > Now, you are missing the point, because real payloads help you to attack the > target and fake payloads just boring you and mess with your relax. >
This is exactly my point and why I said we are talking past each other. It is both convenient and coincidental that the example you chose is easily launched towards any address, and is fully valid if there happens to be a vulnerable target at the other end. It does not matter at all if you use a payload that has no chance of success or a real payload, you can still inundate the analyst or get them out of bed. Are 1M useless payloads any more or less effective than 1M real payloads or 1M random payloads? Is it a false positive if the attack uses real payloads and is moving across the wire only waiting to hit a vulnerable target but never finds one? Regardless of the method used to detect the attack, it can be launched millions of times regardless of likelihood of success, because it is using a stateless protocol, creating the conditions you are talking about. This is analyst 101 stuff and there are strategies for handling it in the absence of endpoint intelligence, all of those strategies are a trade between practicality and perfect security. There are a several approaches used in the market to mask the problem this presents, anomaly detection, policy enforcement, strict protocol enforcement, Adaptive, Thresholds, etc. In order to successfully solve this problem you must know, at the moment the attack hits the target, whether or not it could have been successful. This is called endpoint intelligence and when it is used properly it largely eliminates the threat vector entirely. The bottom line is that there are always trade offs to be made and there is no perfect technology. This is not a valid reason to dismiss an approach or even challenge it as not effective for the stated purpose. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
