1. Home
  2. Networking Firewalls
  3. Why is IPS blocking some clients

Why is IPS blocking some clients

I have created a very simple test form on my site for recreating a problem where some of my customers cannot submit data to my site. It appears that their Intrusion Prevension Systems are detecting a problem and blocking the POST submission. However, they can't figure out what the problem is, and in two cases their IT people don't have the time to help.

The test form is

formatting link
If you are running an IPS/IDS, please try the form. The failures were occurring on the Submit. If it fails, please let me know that the reason your IPS/IDS gives.

Thank you for helping, Tom

Reply to
Tom
Loading thread data ...

That's exactly the problem why IPS are bullshit: Whereas IDS only give indications, IPS take such indications as the bare truth and act unconditionally.

Most likely it's because the POST message is very big and regular. The encoding as multipart/form-data might add up to the indications as well.

Reply to
Sebastian Gottschalk

IPS always implements some kind of SelfDoS attack. The reason is, that this concept is b0rken.

Yours, VB.

Reply to
Volker Birk

The test form is tiny -- the returned POST is only about 2kB. Did you try it? This seems to be the best group that would have some IPS running and can look at their logs to tell me what is causing the problem.

Tom

Reply to
Tom

Try to measure the size in number of fields. And become aware that these are quite many fields for a simple form.

No, I'm not running such bullshit. My job usually only consists of giving good examples why they're nonsense and uninstalling them.

Reply to
Sebastian Gottschalk

It only has 24 fields, corresponding to a form that would have hours

1-24. Even a single-field form caused problems when the user submitted enough text in the field to require 2 or more network packets to send.

Fortunately (I think) the problem is only seen by users that are on the other side of an IPS (of certain models perhaps). I need to know what it is about the form (or my site) that is causing the problem with these IPS's, and I too do not run one to know.

Anyone else that has an IPS, if you can try the site and let me know what error you may receive from your IPS/IDS log would be greatly appreciated.

(Test form remains at

formatting link
)

Let me know if there is another service or forum better suited for my request.

Thanks, Tom

Reply to
Tom

Just as a test try removing the enctype="multipart/form-data" tag.

Reply to
kingthorin

I tried a couple of variations of the form tag:

Original enctype="multipart/form-data"

formatting link

No enctype attribute

formatting link

Original enctype=application/x-www-form-urlencoded"

formatting link

Please try these.

The last two worked with one customer, but only because this format seems to pack the POST data much more efficiently when sent back to the server that way. I discovered earlier that that customer's site was allowing POST data through if the response was contained in one packet (content-length < 1500 bytes). The original multipart/form-data version required multiple packets for the same POST data, so the customer's IPS stopped it.

I tried the no-enctype, and enctype=application/x-www-form-urlencoded" on a form with data that required multiple packets (content-length >

1500) and the same failure occured.

Tom

Reply to
Tom

Here is a single-field form that fails on the same customer because the amount of data is about 2KB. Their IPS is blocking the post submission (probably sending the client a RST).

formatting link

If you have an IPS with logging, please try it and tell me what is wrong with it.

Tom

Reply to
Tom

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.