Posted by Tate Hansen
Fri, 01 Feb 2008 06:50:00 GMT
There are lots of articles mentioning the Digital Armaments bounty for exploits. I wrote a snippet on the commercial exploit market about a month ago, whereby I was simply listing the prices for subscribing to the different exploit houses.
I guess I forgot to consider another complexity of all this and that is from the influence the organizations who compete to purchase exploits are having (e.g. iDefense, 3COM/TippingPoint, Governments, people and groups w/lots of money).
I wonder how extensive this really goes – I mean, it seems this market is in a boom of sorts which implies there are lots of private exploits trading hands. Exactly how many would be interesting to know. Hell, any numbers would be nice.
One thing is apparent though, if this market continues to grow then how can any security products based on “knowing attacks” succeed? They won't. An IDS vendor is not going to be able to afford to purchase all; no company will have a monopoly.
Tags ClearNet, ClearNet Security, exploits, ids, ips, security, Tate Hansen, vulnerabilities | no comments
Posted by Tate Hansen
Tue, 14 Mar 2006 10:48:00 GMT
I've wanted to build this for a long time, alas the pain and costs of obtaining disparate public IPv4 blocks is high. I want to perform 65k port scans fast, accurately, and avoid 95% of the IDSes, IPSes, or whatever other ‘smart’ devices are in my way. It can be done.
- Buy or lease some servers
- Find a few data centers that connect to different Tier 1 providers
- Justify and purchase IP blocks from ARIN (or another regional registry)
- Setup scan server(s)
- Setup NAT server(s)
- Write some code to distribute port scans
- Feel cool when you can scan like crazy
- Feel really cool when no ‘smart’ devices alert, block, or rate limit you because you haven’t triggered any threshold ‘rules’
- Act surprised when the client mentions his team didn’t see or report any anomalous behavior
Here is a high-level diagram of what I want:
Of course, there are some realities which make this hard to build. Registries prefer to hand out contiguous net blocks, but it would be far more desirable to have a bunch of smaller non-contiguous net blocks. Some ‘smart’ devices do detect scans based on the source net block, not just via a single source IP. Bandwidth and latency conditions are always in play. I still want it. A scan setup like this can increase accuracy, be fast, is distributed, and raises the difficulty for detection.
FYI: Initial costs from ARIN for different net block sizes
| Category |
Initial Registration Fee (US Dollars) |
Assignment Size |
X-small/
Micro-allocation |
$1,250 |
/24 - < /20 |
| Small |
$2,250 |
/20 - /19 |
| Medium |
$4,500 |
> /19 - /16 |
| Large |
$9,000 |
> /16 - /14 |
| X-large |
$18,000 |
> /14 |
Tags circumvent, ClearNet Security, ids, ips, nmap, port scanning, scanning, Tate Hansen | no comments
