IDS mailing list archives
RE: Active response... some thoughts.
From: "Ralph Los" <RLos () enteredge com>
Date: Fri, 7 Feb 2003 00:51:35 -0500
Gents, I'm going to go out on a limb here...I'm trying to aggregate answers. Here's what sounds logical to me: - Active-Response (on-the-wire drop) is appropriate if you've got an in-line sensor that's tuned to detect signature-based attacks - TCP-RST is best implemented (and wholly appropriate) in spanning-port situations (or a tap) where you have a race-condition for the attention of the receiving stacks. Does this sum it up pretty well? If not, some correct me? /Ralph/ -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Thursday, February 06, 2003 9:54 AM To: Chris Travers; Thomas H. Ptacek Cc: Focus-IDS Subject: RE: Active response... some thoughts. Chris, Not just poorly implemented IDS but spoofed packets as well. How does an active IDS differentiate and if it can't is it possible to do the old CHARGEN - ECHO trick using the IDS of different companies to start sending RST packets at ever increasing rates against each other? If the IDS would even respond to RST floods (would be stupid I suppose).... I have tested networks with Active IDS and the only problem I found was when the IDS actually blocked my I at the router. The tester then has to ensure that the IDS has been told who to cut off and who not to and for how long. Otherwise, it's too easy to spoof packets and DoS for legitimate traffic and providers. The question then becomes is the service more or less valuable than the security of that service? Active IDS just does not work with Usability in my opinion. Too many things can and do go wrong which will make legitimate users and the service offered to them to be inconvenienced. Sincerely, -pete. www.isecom.org -----Original Message----- From: Chris Travers [mailto:chris () travelamericas com] Sent: Wednesday, February 05, 2003 8:16 AM To: Thomas H. Ptacek Cc: Focus-IDS Subject: Re: Active response... some thoughts. Thomas; I was also thinking about a liability from a poorly implimented system being able to be used to DOS an address by spoofing packets from that address. I guess I come back to advocating passive solutions primarily. Best Wishes, Chris Travers Thomas H. Ptacek wrote:
On 1/31/03 1:22 PM, "Chris Travers" <chris () travelamericas com> wrote:An IDS could have hooks into a routers filtering tables in order to temporarily ban that IP address. This has the advantage of the RST in that all inbound traffic from the attacker would be stopped, but wouldACL countermeasures are generally avoided because it is hard to make them fail safely. It is not easy to push soft-state ACLs to Cisco and Juniper routers; the risk that the IDS could get desynchronized from the filter is large.
Current thread:
- Re: Active response... some thoughts., (continued)
- Re: Active response... some thoughts. Chris Travers (Feb 05)
- RE: Active response... some thoughts. Pete Herzog (Feb 06)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- RE: Active response... some thoughts. Rob Shein (Feb 11)
- Re: Active response... some thoughts. andre (Feb 08)