Why is IPS blocking some clients

I have created a very simple test form on my site for recreating a
problem where some of my customers cannot submit data to my site. It
appears that their Intrusion Prevension Systems are detecting a problem
and blocking the POST submission. However, they can't figure out what
the problem is, and in two cases their IT people don't have the time to
help.

The test form is http://www.sygration.com/cgi-bin/banana64

If you are running an IPS/IDS, please try the form. The failures were
occurring on the Submit. If it fails, please let me know that the
reason your IPS/IDS gives.

Thank you for helping, Tom

Re: Why is IPS blocking some clients

Post removed (X-No-Archive: yes)

Re: Why is IPS blocking some clients

Tom wrote:
> I have created a very simple test form on my site for recreating a
> problem where some of my customers cannot submit data to my site. It
> appears that their Intrusion Prevension Systems are detecting a problem
> and blocking the POST submission.

IPS always implements some kind of SelfDoS attack. The reason is, that
this concept is b0rken.

Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.

Re: Why is IPS blocking some clients

Sebastian Gottschalk wrote:
> That's exactly the problem why IPS are bullshit: Whereas IDS only give
> indications, IPS take such indications as the bare truth and act
> unconditionally.
>
> > The test form is http://www.sygration.com/cgi-bin/banana64
>
> Most likely it's because the POST message is very big and regular. The
> encoding as multipart/form-data might add up to the indications as well.

The test form is tiny -- the returned POST is only about 2kB.
Did you try it? This seems to be the best group that would have some
IPS running and can look at their logs to tell me what is causing the
problem.

Tom

Re: Why is IPS blocking some clients

Post removed (X-No-Archive: yes)

Re: Why is IPS blocking some clients

Sebastian Gottschalk wrote:
> Tom wrote:
>
> >> Most likely it's because the POST message is very big and regular. The
> >> encoding as multipart/form-data might add up to the indications as well.
> >
> > The test form is tiny -- the returned POST is only about 2kB.
>
> Try to measure the size in number of fields. And become aware that these
> are quite many fields for a simple form.

It only has 24 fields, corresponding to a form that would have hours
1-24. Even a single-field form caused problems when the user submitted
enough text in the field to require 2 or more network packets to send.

>
> > Did you try it?
>
> No, I'm not running such bullshit. My job usually only consists of giving
> good examples why they're nonsense and uninstalling them.

Fortunately (I think) the problem is only seen by users that are on the
other side of an IPS (of certain models perhaps). I need to know what
it is about the form (or my site) that is causing the problem with
these IPS's, and I too do not run one to know.

Anyone else that has an IPS, if you can try the site and let me know
what error you may receive from your IPS/IDS log would be greatly
appreciated.

(Test form remains at http://www.sygration.com/cgi-bin/banana64 )

Let me know if there is another service or forum better suited for my
request.

Thanks, Tom

Re: Why is IPS blocking some clients

Just as a test try removing the enctype="multipart/form-data" tag.

Re: Why is IPS blocking some clients

kingthorin@gmail.com wrote:
> Just as a test try removing the enctype="multipart/form-data" tag.

I tried a couple of variations of the form tag:

Original enctype="multipart/form-data"
www.sygration.com/cgi-bin/banana64

No enctype attribute
www.sygration.com/cgi-bin/banana65

Original enctype=application/x-www-form-urlencoded"
www.sygration.com/cgi-bin/banana66

Please try these.

The last two worked with one customer, but only because this format
seems to pack the POST data much more efficiently when sent back to the
server that way. I discovered earlier that that customer's site was
allowing POST data through if the response was contained in one packet
(content-length < 1500 bytes). The original multipart/form-data
version required multiple packets for the same POST data, so the
customer's IPS stopped it.

I tried the no-enctype, and enctype=application/x-www-form-urlencoded"
on a form with data that required multiple packets (content-length >
1500) and the same failure occured.

Tom

Re: Why is IPS blocking some clients

Tom wrote:
> The last two worked with one customer, but only because this format
> seems to pack the POST data much more efficiently when sent back to the
> server that way. I discovered earlier that that customer's site was
> allowing POST data through if the response was contained in one packet
> (content-length < 1500 bytes). The original multipart/form-data
> version required multiple packets for the same POST data, so the
> customer's IPS stopped it.
>
> I tried the no-enctype, and enctype=application/x-www-form-urlencoded"
> on a form with data that required multiple packets (content-length >
> 1500) and the same failure occured.
>
> Tom

Here is a single-field form that fails on the same customer because the
amount of data is about 2KB. Their IPS is blocking the post submission
(probably sending the client a RST).

www.sygration.com/cgi-bin/banana67

If you have an IPS with logging, please try it and tell me what is
wrong with it.

Tom