Beware Of The Red Dragon

I have dedicated several posts to NG-IPS, the next step of the evolution in network security (or better to say context security). I have pointed out that one of the main features of this kind of devices is the capability to enforce Location Based security services. Now it is time to make some practical examples indicating how Geo Protection features may be helpful and why they are needed in this troubled days.

Few days ago I had the opportunity to analyze the data collected from a network security equipment, placed at the perimeter of an important Italian customer, with IPS engine turned on and Geo Protection feature enabled. I show here a brief summary of the collected data, that span approximatively a thirty days period ranging from 1 to 27 November 2011.

As you may easily notice, collected data show Geo Protection events undoubtedly at number one with 713,117 occurences. The enforced Geo Protection Policy blocked traffic from and to several “bad countries”. Just try to Guess which country was detected by the Geo Protection Policy with the highest rate of attacks? The top attack source report contains the answer to this question, but if yoy want I can suggest you a quick hint: one of the countries which appeared in the unwelcomed list of Geo Protection Policy was just China.

The top 5 attack sources generated together nearly 150,000 events. I was not that surprised when I looked up the IP Addresses (which I did not explicitly report on the graph) and realized that all of them came from China. These addresses were blocked a priori by Geo Protection.

The tabular report is also more explicit: 9 out of  10 sources at the top for the number of attacks, came from China whilst 1 was shown to be an internal address (revealed to be a misconfigured device generating bogus events). Together the 9 top sources generated nearly 260,000 on a total of 800,000 events collected from nearly 90,000 addresses.

As far as the impacted services are concerned, traditional protocols ranked at the first positions of the chart with some strange occurrences (TCP/0 or UDP/0 that might mean malformed packets or also the attempt to exploit old attacks targeting security devices). It is worthwhile to notice the presence of the well-known TCP port 1433 (MS-SQL).

Of course the attempts to exploit Microsoft Ports and (maybe) to harvest the network were detected by the geo protection engine as shown in the following table.

While I was analysing these data I could not help but think to the recent post by Brian Kerbs suggesting that the same attack perpetrated against RSA targeted more than 760 other organizations (almost 20 percent of the current Fortune 100 companies were on the alleged list). The same post indicated that the location of 299 (on more than 300) command and control networks used in these attacks were located in China.

Besides some concern regarding the Chinese Cyber Strategy, the parallelism suggested me that Geo Protection might provide a valuable support for thwarting APTs or, more in general, for thwarting attacks phoning home to C&C Server located in “bad” countries, provided that Geo Protection Service Database is constantly updated. Unfortunately I am afraid that attackers will not take so long to learn and enforce some workarounds using (un)secure compromised C&C servers in “good” (i.e. not classified by the Geo Protection) countries. In any case Geo Protection cannot be considered the only cure, but at the end this is the reason why NG-IPS are capable to enforce different algorithms to provide a context base security model.

Related articles

Leave a Reply

%d bloggers like this: