Web Attack Crashes TippingPoint IPS

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Mysterious Web attack traffic caused some of 3Com Corp.s TippingPoint IPS devices to crash last week, requiring a hasty patch by the company.

Some TippingPoint customers had their IPS (intrusion prevention system) appliances crash while trying to process a specific kind of Internet attack traffic last week.

The company learned of the problem on Friday and issued an update for the TOS (TippingPoint OS) software within hours, said Laura Craddick, TippingPoints public relations manager.

“A bug in the TippingPoint engine caused high CPU utilization…on a few of our customers Internet-facing devices,” Craddick wrote in an e-mail response to questions from eWEEK. The bug affected TippingPoint devices running TippingPoint OS 2.1 and 2.2, she wrote.

At York University in Toronto, TippingPoint IPS devices began crashing repeatedly on Friday, Jan. 13, prompting a call to the vendor, said Ramon Kagan of the Universitys Computing and Network Services department.

/zimages/1/28571.gifClick here to read about TippingPoints anti-phishing features.

The crashes were caused by malicious HTTP traffic that attempted to trigger a known security vulnerability in another product. The HTTP attack traffic eventually caused the TOS software, which runs the IPS companys appliances, to crash, bringing down the whole device, he said.

Reports of the crashes were sporadic, because only a very specific type of attack traffic triggered the hole, Kagan said. He declined to provide details about the malicious traffic that crashed the IPS devices.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Complaints about the problem reached the Austin, Texas, company on Friday; about one day after TippingPoint shipped updated attack signatures to its clients. 3Com released new versions of the TOS software to address the issue, Craddick said.

Customers who were affected by the crashes speculated in an online discussion group that they may have been caused by a conflict with new attack signatures distributed the day before.

However, TippingPoint contends that the behavior was caused by a flaw in the TOS software, not by a bad signature, Craddick said.

In an e-mail to customers that was forwarded to eWEEK by another customer, TippingPoint said the crashes were not caused by targeted attacks against its IPS devices. Instead, they were an unexpected product of large-scale Internet scans for an unrelated vulnerability.

The university has been using TippingPoints IPS technology for two years, Kagan said.

With the TippingPoint appliance offline, staff at York University had to deal with a mild increase in traffic, and used IDS (intrusion detection system) software to filter out some attacks. However, Kagan expressed satisfaction that 3Com responded within five hours with a software patch that fixed the problem.

Customers who have not done so should upgrade their TippingPoint appliances to version 2.1.4.6324 or 2.2.1.6506 of TOS, Craddick said.

Editors Note: This story was updated to include additional information from TippingPoint and a customer.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.