Noise vs. Pattern
When does malicious traffic directed towards your network become white noise instead of part of the overall threat picture? The oft-used example is the Code Red worm. To this day there are still infected servers spewing out traffic that has faded into the white noise of the Internet. Very few have Code Red signatures enabled on their IDS and even fewer would actually look at any alerts that were generated from them.
But what about current valid exploits directed against a non-affected server? What about PHP attacks launched against an .ASP server? Should we be concerned? What about taking action?
I think there are two schools of thought on this. An instructor I had in a SANS class phrased it this way: "If you can't play nice on my network, you can't play on my network."
I'd love to be able to follow that philosophy. Unfortunately there are other factors that come into play when you're defending someone else's network, especially a large one.
Shunning malicious IPs involves one of several scenario's. If you're running IPS and are doing in line blocking, it's automatic, assuming the signature or rule is set to block. That's the good news. The bad news is: it's automatic. IT managers shudder at the thought of a customer trying to access their public web app servers and being blocked by a false positive on the IPS, as well they should. That's still the overarching issue with IPS: How much do you trust it not to accidentally block legitimate traffic. So, many times, the IPS is set to only block really noisy, old attacks that have almost a zero percent chance of false positives. Not terribly helpful.
Another way to deal with pervasive attacks is to shun the IP at the border router. This is a process. First you must document the attacks that you are seeing, with logging and/or packets. You must then present your case to someone higher up (unless you're in management and have that authority) that the IP needs shunned and get their approval. Then you'll need to get change request approval. Even if there is a short path approval process for situations like this, this still takes time. You may find that by the time you shun the IP, the attacks have stopped and never come back again from that IP. That's a very good possibility because of the pervasiveness of botnets. An attacker never needs to use the same IP twice; he/she has many to choose from. That way his attack can't be shunned and it's very difficult for the defender to try and respond.
Another consideration is: Is there is human intelligence behind the attack? Is someone probing, looking for a way to exploit a host or is it a blind sweep of your whole address space and hundreds of other folks space as well. A real attack won't be that noisy unless the attacker is completely incompetent. Does the attack make any sense? Seeing zone transfer attempts against your web servers is a really good indication the attacker just wound up a script and is whacking against a whole range of IPs. Most of what we see today, or at least what I see, are fishing expeditions. They run for an hour, a few hours, and we never see that IP again.
So what's noise and what's of real concern? There isn't any easy answer to this. It all depends on how much analysis you can do and what can be determined, how large your public presence is and how pervasive the traffic is, how much of the traffic an organization would classify as an acceptable risk and what the return would be on your investment of time to respond and block the traffic.
But what about current valid exploits directed against a non-affected server? What about PHP attacks launched against an .ASP server? Should we be concerned? What about taking action?
I think there are two schools of thought on this. An instructor I had in a SANS class phrased it this way: "If you can't play nice on my network, you can't play on my network."
I'd love to be able to follow that philosophy. Unfortunately there are other factors that come into play when you're defending someone else's network, especially a large one.
Shunning malicious IPs involves one of several scenario's. If you're running IPS and are doing in line blocking, it's automatic, assuming the signature or rule is set to block. That's the good news. The bad news is: it's automatic. IT managers shudder at the thought of a customer trying to access their public web app servers and being blocked by a false positive on the IPS, as well they should. That's still the overarching issue with IPS: How much do you trust it not to accidentally block legitimate traffic. So, many times, the IPS is set to only block really noisy, old attacks that have almost a zero percent chance of false positives. Not terribly helpful.
Another way to deal with pervasive attacks is to shun the IP at the border router. This is a process. First you must document the attacks that you are seeing, with logging and/or packets. You must then present your case to someone higher up (unless you're in management and have that authority) that the IP needs shunned and get their approval. Then you'll need to get change request approval. Even if there is a short path approval process for situations like this, this still takes time. You may find that by the time you shun the IP, the attacks have stopped and never come back again from that IP. That's a very good possibility because of the pervasiveness of botnets. An attacker never needs to use the same IP twice; he/she has many to choose from. That way his attack can't be shunned and it's very difficult for the defender to try and respond.
Another consideration is: Is there is human intelligence behind the attack? Is someone probing, looking for a way to exploit a host or is it a blind sweep of your whole address space and hundreds of other folks space as well. A real attack won't be that noisy unless the attacker is completely incompetent. Does the attack make any sense? Seeing zone transfer attempts against your web servers is a really good indication the attacker just wound up a script and is whacking against a whole range of IPs. Most of what we see today, or at least what I see, are fishing expeditions. They run for an hour, a few hours, and we never see that IP again.
So what's noise and what's of real concern? There isn't any easy answer to this. It all depends on how much analysis you can do and what can be determined, how large your public presence is and how pervasive the traffic is, how much of the traffic an organization would classify as an acceptable risk and what the return would be on your investment of time to respond and block the traffic.