Re: IPS Global Correlation: Spoofing Ip

sgjr82841 · ‎01-30-2011

Guys,

I have got an question from a customer asking how IPS GC deals with legitimate ip addresses being spoofed and used for attacks. Customer is concern about their customers ip address being spoofed and marked with bad reputations and after receiving updated from Cisco Sensor database customer might be blocking their own customers.

My views are the for an attacker to cause an ip address to be marked as bad they have to launch a very sophisticated attack probably using different types of traffic(also high volume??) and it must appear in Sensor database frequently(I do not know how frequent??). Customer is looking for more explanation on how and what procedures Cisco uses to mark an ip for bad reputation.

Thanks in advance for your inputs.

Christopher Dreier · ‎02-03-2011

Hello sg jr,

While the details of the Global Correlation and Reputation algorithm are proprietary and not shareable, you're assumptions are correct. A significant amount of legitimately and verifiably malicious traffic would need to be repetitively generated and targeted to cause an IP to obtain a negative reputation.

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series