Monday, June 30, 2008

More fodder for the arms race...

A long, long time ago (5 years I think) I did a talk on why anomaly based IDSes do not work. If given the ability to spend a few days analyzing traffic you can evade them easily. I am guessing the same holds true for "throttling traffic even though it’s encrypted". If you look at to two points of data that can be reliably read, packet size and frequency, those can be varied greatly by an attacker without introducing much latency or overhead.

Like most things in security produced in labs, this technique will only be efficient as long as no one knows it has been implemented.

No comments: