IDS mailing list archives
RE: Active response... some thoughts.
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 30 Jan 2003 12:17:14 -0500
I am having a hard time imagining a decent hacker who is allowing inbound and unsolicited ICMP. Furthermore, if a hacker can be assumed to be capable of potentially ignoring RSTs (using a hacked stack), I cannot imagine how ignoring the ICMP would be anything but trivial. Also, this goes back to them being able to determine the presence of active response IDS, as they probably already know that the host/port exists...and even if not, what happens when they get the "port unreachable" AND the valid response from the port?
-----Original Message----- From: Sangram [mailto:sangram () mahindrabt com] Sent: Tuesday, January 28, 2003 11:02 PM To: focus-ids () securityfocus com Subject: Re: Active response... some thoughts. TCP resets are not useful in the case UPD attacks are used; wether small pipe or not. A different kind of active response may help. I think this can be obtained by implementing the ICMP echo "Port unreachable". This will give an attacker false information on state of UDP ports as the process of UDP scanning also relies on the same principle. What do u think? ----- Original Message ----- From: Kohlenberg, Toby <toby.kohlenberg () intel com> To: mb_lima <mb_lima () uol com br>; <FGarbrecht () ecogchair org> Cc: <RLos () enteredge com>; <detmar.liesen () lds nrw de>; <abegetchell () qx net>; <focus-ids () securityfocus com> Sent: Wednesday, January 29, 2003 12:58 AM Subject: RE: Active response... some thoughts.Why not? Packets travel quickly even on small pipes... If a block takes 3 seconds to implement, how many packets will have gone by, even on a small link? It has been a long timesince I saw alink that couldn't handle enough packets per second to get a nasty backdoor loaded in less than 3 seconds.. toby-----Original Message----- From: mb_lima [mailto:mb_lima () uol com br] Sent: Tuesday, January 28, 2003 8:39 AM To: FGarbrecht () ecogchair org Cc: Kohlenberg, Toby; RLos () enteredge com;detmar.liesen () lds nrw de;abegetchell () qx net; focus-ids () securityfocus com Subject: RE: Active response... some thoughts. Toby,Actually, TCP resets don't work in many cases-for instance anysituation where you have a single packet exploit (say the Saphireworm that just ran through the Net)... This is the same problemthat router/firewall reconfiguration has-by the time the responsehappens, the compromise is done.I agree with you, but I think that in low bandiwithlinks this isnot a problem. Marcelo. --- UOL, o melhor da Internet http://www.uol.com.br/********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com
Current thread:
- RE: Active response... some thoughts., (continued)
- RE: Active response... some thoughts. Abe L. Getchell (Jan 26)
- RE: Active response... some thoughts. Ralph Los (Jan 26)
- RE: Active response... some thoughts. Christopher Lyon (Jan 26)
- RE: Active response... some thoughts. Alan Shimel (Jan 26)
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. Garbrecht, Frederick (Jan 28)
- Message not available
- Re: Active response... some thoughts. Stone Cold (Jan 31)
- Message not available
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. mb_lima (Jan 28)
- Re: Active response... some thoughts. Paul Palmer (Jan 31)
- RE: Active response... some thoughts. Rob Shein (Jan 31)
- Re: Active response... some thoughts. mb_lima (Jan 31)