Introduction

This chapter explores the concept and implementation of inline Application-layer data modification, and provides several motivating examples for why this technique provides an effective method to augment the security arsenal available to any security administrator. Many Intrusion Detection Systems (IDS ) and Intrusion Prevention Services (IPS ) offer the capability of taking some action against an Internet Protocol (IP) address from which an attack has been detected. Even though IDS are generally passive in terms of the network traffic they monitor, many offer active response capabilities such as the ability to spoof Transmission Control Protocol (TCP) reset packets and interact with firewall software to implement Network-layer blocking rules against offending IP addresses. This chapter discusses the notion of active response implemented at the highest layer in the protocol stack: the Application layer. This technique involves the direct alteration of the application portion of IP packets that are associated with an attack as they traverse a network, in an effort to nullify the attack. Performing this operation requires direct access to packet data structures as they flow across a network, and hence can only realistically be performed by an inline device such as a firewall, router, or specialized Ethernet bridge.

As discussed in Chapter 4, active response and/or intrusion prevention actions can be implemented at any layer of the stack above Layer 1 (Physical Media). However, Application-layer data modification provides the most stealthy active response method. To illustrate this, let s examine the implementation of active response techniques at the Data Link,...