Web Attack Crashes TippingPoint IPS

January 17, 2006

By Paul F. Roberts


Updated: Some 3Com customers using TippingPoint intrusion prevention appliances found themselves with trouble on their hands last week; the company says the problem lay in the now-patched software.

Mysterious Web attack traffic caused some of 3Com Corp.'s TippingPoint IPS devices to crash last week, requiring a hasty patch by the company.

Some TippingPoint customers had their IPS (intrusion prevention system) appliances crash while trying to process a specific kind of Internet attack traffic last week.

The company learned of the problem on Friday and issued an update for the TOS (TippingPoint OS) software within hours, said Laura Craddick, TippingPoint's public relations manager.

"A bug in the TippingPoint engine caused high CPU utilization.on a few of our customers' Internet-facing devices," Craddick wrote in an e-mail response to questions from eWEEK. The bug affected TippingPoint devices running TippingPoint OS 2.1 and 2.2, she wrote.

At York University in Toronto, TippingPoint IPS devices began crashing repeatedly on Friday, Jan. 13, prompting a call to the vendor, said Ramon Kagan of the University's Computing and Network Services department.

The crashes were caused by malicious HTTP traffic that attempted to trigger a known security vulnerability in another product. The HTTP attack traffic eventually caused the TOS software, which runs the IPS company's appliances, to crash, bringing down the whole device, he said.

Reports of the crashes were sporadic, because only a very specific type of attack traffic triggered the hole, Kagan said. He declined to provide details about the malicious traffic that crashed the IPS devices.

PointerFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

Complaints about the problem reached the Austin, Texas, company on Friday; about one day after TippingPoint shipped updated attack signatures to its clients. 3Com released new versions of the TOS software to address the issue, Craddick said.

Customers who were affected by the crashes speculated in an online discussion group that they may have been caused by a conflict with new attack signatures distributed the day before.

However, TippingPoint contends that the behavior was caused by a flaw in the TOS software, not by a bad signature, Craddick said.

In an e-mail to customers that was forwarded to eWEEK by another customer, TippingPoint said the crashes were not caused by targeted attacks against its IPS devices. Instead, they were an unexpected product of large-scale Internet scans for an unrelated vulnerability.

The university has been using TippingPoint's IPS technology for two years, Kagan said.

With the TippingPoint appliance offline, staff at York University had to deal with a mild increase in traffic, and used IDS (intrusion detection system) software to filter out some attacks. However, Kagan expressed satisfaction that 3Com responded within five hours with a software patch that fixed the problem.

Customers who have not done so should upgrade their TippingPoint appliances to version or of TOS, Craddick said.

main page ATTRITION feedback