RE: Active response... some thoughts.

["Rob Shein" <shoten () starpower net>]

I am having a hard time imagining a decent hacker who is allowing inbound
and unsolicited ICMP.  Furthermore, if a hacker can be assumed to be capable
of potentially ignoring RSTs (using a hacked stack), I cannot imagine how
ignoring the ICMP would be anything but trivial.  Also, this goes back to
them being able to determine the presence of active response IDS, as they
probably already know that the host/port exists...and even if not, what
happens when they get the "port unreachable" AND the valid response from the
port?

> -----Original Message-----
> From: Sangram [mailto:sangram () mahindrabt com] 
> Sent: Tuesday, January 28, 2003 11:02 PM
> To: focus-ids () securityfocus com
> Subject: Re: Active response... some thoughts.
>
>
> TCP resets are not useful in the case UPD attacks are used; 
> wether small pipe or not. A different kind of active response 
> may help. I think this can be obtained by implementing the 
> ICMP echo "Port unreachable". This will give an attacker 
> false information on state of UDP ports as the process of UDP 
> scanning also relies on the same principle. What do u think?
>
> ----- Original Message -----
> From: Kohlenberg, Toby <toby.kohlenberg () intel com>
> To: mb_lima <mb_lima () uol com br>; <FGarbrecht () ecogchair org>
> Cc: <RLos () enteredge com>; <detmar.liesen () lds nrw de>; 
> <abegetchell () qx net>; <focus-ids () securityfocus com>
> Sent: Wednesday, January 29, 2003 12:58 AM
> Subject: RE: Active response... some thoughts.
>
> > Why not? Packets travel quickly even on small pipes...
> > If a block takes 3 seconds to implement, how many packets will have 
> > gone by, even on a small link? It has been a long time 
> since I saw a 
> > link that couldn't handle enough packets per second to get a nasty 
> > backdoor loaded in less than 3 seconds..
> >
> > toby
> >
> > > -----Original Message-----
> > > From: mb_lima [mailto:mb_lima () uol com br]
> > > Sent: Tuesday, January 28, 2003 8:39 AM
> > > To: FGarbrecht () ecogchair org
> > > Cc: Kohlenberg, Toby; RLos () enteredge com; 
> detmar.liesen () lds nrw de; 
> > > abegetchell () qx net; focus-ids () securityfocus com
> > > Subject: RE: Active response... some thoughts.
> > >
> > >
> > >
> > >  Toby,
> > >
> > > > Actually, TCP resets don't work in many cases-
> > >  for instance any
> > > > situation where you have a single packet exploit (say the Sa
> > > phire
> > > > worm that just ran through the Net)... This is the same prob
> > > lem
> > > > that router/firewall reconfiguration has-
> > >  by the time the response
> > > > happens, the compromise is done.
> > >
> > >   I agree with you, but I think that in low bandiwith 
> links this is 
> > > not a problem.
> > >
> > >    Marcelo.
> > >
> > >
> > > ---
> > > UOL, o melhor da Internet
> > > http://www.uol.com.br/
>
> *********************************************************
> Disclaimer
>
> This message (including any attachments) contains 
> confidential information intended for a specific 
> individual and purpose, and is protected by law. 
> If you are not the intended recipient, you should 
> delete this message and are hereby notified that 
> any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, 
> is strictly prohibited.
>
> *********************************************************
> Visit us at http://www.mahindrabt.com