Soft IPS Blocks traffic in passive mode.

MetaFlows’ Soft IPS technology blocks unwanted traffic in passive mode. Soft IPS does this by injecting spoofed TCP packets into the network to disrupt unwanted communications. This idea is coupled with a proprietary algorithm that will safely predict which traffic to block based on observed communication patterns. Soft IPS has the following benefits:
  • Runs entirely in software and can scale to 10 Gbps of network traffic on commodity hardware.
  • Runs in passive mode (not inline). This is can be a huge advantage because traditional, inline IPS configurations pose a higher risk to a network’s availability.
  • Uses powerful active response technology to block unwanted traffic (bots, spyware, P2P, etc.) and actively learns which flows need to be blocked proactively.

Architecture

Soft IPS Architecture

Detection

The sensor software detects unwanted traffic using a variety of functional elements which include IPS signature detection, Network Antivirus and other user defined block classifications (which my include Multi-session rules). Any of these components can trigger a block signal to the Soft IPS subsystem. The block signal is a flow specification of the form:

 <srca/mask> <srcp> <dsta/mask> <dstp>

Each of the fields sent over from the detection components can be a wildcard. Wildcards are specified as 0 or 0.0.0.0/0 if they are a protocol/port or address respectively.

Invariant Extraction

Each of the block signals is then processed by an invariant extraction algorithm that identifies repeated attempts to block similar flows. Once a certain threshold is reached (for example there are more than 5 attempts to block the same 2 IP addresses and the same source port), the invariant extraction will automatically change one or more fields of the block signal to a wildcard.

Pcap Filter

Once the flow has been processed by the invariant extraction and optionally modified, it is passed to pcap filter module which will capture all packets matching the flow specification. The pcap filter also takes care of aging the block signals which are not triggering according to the following aging table:

Number of Invariants Examples in bpf format Expires after
1 host 1.2.3.4 1 Year
2 host 1.2.3.4 and port 80 10 minutes
3 host 12.3.4 and host 4.3.2.1 and port 80 100 seconds
4 host 1.2.3.4 and host 4.3.2.1 and port 80 and port 11111 100 seconds

As long an expression keeps triggering within the expiration period, the expression is kept active. Any administrative Soft IPS expression not derived from the invariant extraction is never aged; it must be explicitly deleted by the administrator by removing the associated policy.

Active Response

If a packet is captured by the pcap filter, it is then used to extract the TCP sequence numbers as well as the addresses and ports. This information is used to force active response packets that spoof the source destination addresses/ports. The spoofed packets are sent out through the sensor’s management interface. The normal routing infrastructure is then expected to properly route the spoofed packets to the source and destination addresses.

Comparison with traditional “hard” IPS

Inline IPS (with bypass) Soft IPS (passive mode)
Blocks TCP Yes Yes
Extracts Attacker Invariants Dynamically No Yes
Block IP Addresses from Console No Yes
Blocks UDP and ICMP Yes No
Software/Hardware Failure All Traffic Stops All Traffic Through
Power Loss All Traffic Through All Traffic Through
Performance Impact >200 µs Latency None

The table above summarizes the advantages and disadvantages of Soft IPS as compared to a traditional inline deployment. The reader should appreciate the significant advantages of Soft IPS having no impact in performance or availability at the expense of not being able to block UDP and ICMP packets (which practically speaking is of little importance on most networks).