IPS blocking is an active response that provides our system with the capability to respond to an attack when it has been detected. Whenever a hostile signature alert is triggered and set for active response, the Masergy Unified Enterprise Security intrusion detection/intrusion prevention system (IDS/IPS) sends a series of packets to both source and destination IPs in an attempt to disrupt the current session.
If an attacker uses TCP sessions, they are reset by RST packets that are sent to reset both hosts. In the case of UDP, ICMP packets are sent to a host initiating a UDP connection to inform the sender that a requested port/host is unavailable. We would only set up IPS Blocking on traffic with a very low rate of false positives such as specific malware communication, APT exploit kit traffic, etc.
It is important to note that while effective, this method is not foolproof. Session sniping can be bypassed due to the time it takes for an intrusion detection system (IDS) to generate the RESET packets and drop the RESET packets onto the wire. The attacker can take advantage of this lag time by launching the next packet in the TCP session to arrive before the RESET packet.
Even though session disruption has limitations, it is a necessary feature in a defense-in-depth framework to prevent an attack in progress. In addition to IPS blocking, we also suggest integration with your firewall (if possible), as it allows us to issue shun/block commands upon seeing suspicious activity, ensuring the traffic is completely prevented for a specific period of time. This is especially useful for situations such as persistent scanning or attacks from the outside.
Overall, we recommend additional defense-in-depth security mechanism in order to remediate attacks and address weaknesses from multiple angles.