This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About aaronm

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
aaronm
‎03-28-2024
since ‎04-24-2012
L1 Bithead
User Activity
User Profile
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-24-2012 08:15 AM
Date Last Visited ‎03-28-2024 07:14 AM
Posts 7
Total Likes Received 1

Re: NTP attacks - threshold-based blocks?

by in General Topics
‎02-06-2014 10:42 AM
‎02-06-2014 10:42 AM
For a custom signature, only ever built one that used existing vulnerabilities.  Since those are not triggering in this case, how could I define a new one based simply on the fact that it is recognized as a NTP application? ... View more

Re: NTP attacks - threshold-based blocks?

by in General Topics
‎02-06-2014 10:40 AM
‎02-06-2014 10:40 AM
The problem with this signature is that it's not what's being triggered in this case.  In fact, none of the NTP vulnerabilities were getting triggered.  It showed up instead as traffic and application "NTP".  Blocking anything but legitimate is easier said than done here - being a university with a lot of scientists and research going on, it may take the security teams weeks or months to determine what is officially needed vs. wanted. ... View more

Re: NTP attacks - threshold-based blocks?

by in General Topics
‎01-22-2014 01:55 PM
‎01-22-2014 01:55 PM
Yes - I was looking into it and that was the approach that I was going to try taking.  The catch is, we only want this applied on a per IP basis, not to all traffic using UDP 123, or again, with over 40K devices, that threshold would be overrun very quickly. It would be better if PAN could define a new brute-force vulnerability for NTP so that it could be setup with a configurable threshold, and then an action be picked as a result.  Until that happens though (or if it happens at all) the DoS method may be the only thing I have to use against it. ... View more

Re: NTP attacks - threshold-based blocks?

by in General Topics
‎01-22-2014 10:39 AM
‎01-22-2014 10:39 AM
Hmm... that might work if I can create a firewall rule to limit such DoS protection to only the NTP traffic - applying that to the campus traffic as a whole would seriously break things. ... View more

NTP attacks - threshold-based blocks?

by in General Topics
‎01-22-2014 07:44 AM
1 Kudo
‎01-22-2014 07:44 AM
1 Kudo
Our campus has been getting a lot of NTP DDoS attacks of late.  While the simple solution would be to shut it down except for necessary systems, the problem (as per usual in public-sector) is that everyone seems to want to run something that uses it and complains if we start blocking. Looking at the attacks, it's very easy to see the difference between a legitimate NTP query (1 or 2 packets) and an attack.   My question is: Is there a way to define a threshold-based filter that will drop or block the attack as with brute-force type attacks?  That would solve all of the issues. ... View more
Labels:

Re: Treating & Blocking "incomplete" TCP traffic like a Brute Force?

by in General Topics
‎01-08-2014 11:54 AM
‎01-08-2014 11:54 AM
I am aware that everything essentially starts as incomplete.  I was hoping there was a way that it could track how many incomplete transactions were coming from an IP and act based on passing a certain threshold after a time. The problem with the DoS protection is that when we last turned it on (during testing of the firewall), it was triggering on passing the established thresholds within minutes, and dropping a great deal of traffic to the campus.  It seems to not apply the DoS to individual external offending IPs, but to the traffic as a whole.  Zone-based may be a way to better control that, but zone-based DoS is not (or was not at the time) logged, and we must log any packet that is dropped/blocked. ... View more

Treating & Blocking "incomplete" TCP traffic like a Brute Force?

by in General Topics
‎01-08-2014 11:11 AM
‎01-08-2014 11:11 AM
Short question - can it be done? Now, I know what "incomplete" entries are in the log - they are failed 3-way handshakes, or ones that completed with no additional data.  The problem is that "incomplete" is not an application or vulnerability that I can select and apply to rules in order to drop it.  Now, I realize I could get rid of it by crafting a more specific rule that does not simply pass "any" service, but uses Application defaults.  The reason I don't do that is that I work at a university, and it is university mandate (as with many public institutions) to block and/or censor as little of the Internet as possible.  Basically unless it's a known bad thing, I'm not allowed to block it.  That said, being able to define "incomplete" as a vulnerability and set it up like some of the Brute Force attacks (SSH, for example) would be greatly beneficial.  I could then set a threshold for how many of these I would permit before putting the offending external IP into quarantine.  Is there a way to do this? ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-28-2024 07:14 AM
Latest Tags
No tags yet
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks