I put together a small simple (experimental) windows service that keeps an eye on the event log for the kind of CryptographicException errors generated by POET attacks. If a given remote IP address generates a large number of those exceptions, the service
can block that IP in the windows firewall and/or send an email to an administrator. It is still just a proof-of-concept / experimental thingie, but hopefully it can be used as an additional layer of security to protect against POET-based attacks...
Update: just released a new version of the 'POET sniffer' service, and blogged about some of the changes made in the latest version (caused by the outcome of some POET attack simulations I have done).
KristoferA
Member
691 Points
154 Posts
Service for detecting/thwarting POET attacks
Sep 21, 2010 11:45 AM|LINK
I put together a small simple (experimental) windows service that keeps an eye on the event log for the kind of CryptographicException errors generated by POET attacks. If a given remote IP address generates a large number of those exceptions, the service can block that IP in the windows firewall and/or send an email to an administrator. It is still just a proof-of-concept / experimental thingie, but hopefully it can be used as an additional layer of security to protect against POET-based attacks...
More info here:
http://huagati.blogspot.com/2010/09/detecting-poet-aspnet-attacks-poet.html
...and the service itself (including source code) can be downloaded from:
http://huagati.com/PoetSnifferService/download/HuagatiPoetSnifferService.zip
If you have any feedback regarding the service, please submit as comments in my blog...
Update: I just posted some installation instructions here for anyone brave enough to try it out: http://huagati.blogspot.com/2010/09/installing-poet-sniffer-service.html
huagati.com/dbmltools - New features for EF and L2S in VS2010/8
huagati.com/L2SProfiler - Profiler
KristoferA
Member
691 Points
154 Posts
Re: Service for detecting/thwarting POET attacks
Sep 24, 2010 10:04 AM|LINK
Update: just released a new version of the 'POET sniffer' service, and blogged about some of the changes made in the latest version (caused by the outcome of some POET attack simulations I have done).
http://huagati.blogspot.com/2010/09/testing-aspnet-poet-sniffer-service.html
huagati.com/dbmltools - New features for EF and L2S in VS2010/8
huagati.com/L2SProfiler - Profiler