RE: Active response... some thoughts.

From: Shashank Rai (shashrai@emirates.net.ae)
Date: 01/27/03

  • Next message: Alan Shimel: "RE: Active response... some thoughts."
    Date: Mon, 27 Jan 2003 08:17:49 +0400
    From: Shashank Rai <shashrai@emirates.net.ae>
    To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
    
    

    On Fri, 2003-01-24 at 21:38, Ralph Los wrote:
    > First off, as the email mentions below, the attacker can just simply hack his stack to ignore the
    > resets...hey, it's possible.
    possible, but will not be effective (ofcourse depending upon the IDS one
    has). For eg, in case of ISS, the IDS sends a RST packet to the attacker
    as well as the target. Hence, even if the attacker ignores the RST and
    continues to send packets, the target will not be responding to it,
    because for it the connection has already been broken.

    > Also, TCP-Resets can create a storm of packets
    > between your attacker and your IDS, effectively decreasing the effectiveness
    > of the IDS you have.
    well, this is what exactly "stick" does. It creates a "storm of
    packets". I have personally played with this tool against ISS and CISCO
    IDS (Netranger ??). The idea was to send attacks specific to the target
    along with this storm. It worked well with the CISCO IDS and it did
    alllow certain attacks to get through, but it was useless against ISS
    (ofcourse this also depends upon a lot of other factors, such as how big
    is the pipe you are attacking from. How big is pipe the target is stting
    on). And, during this primitive IDS evasion techniqe there was hardly
    any difference in the normal funtionality of the target.
    But as i mentioned earlier, if you are on a fatter pipe than the target,
    you can easily choke it up with the packet flood.

    > Just my personal, very humble opinion
    > Ralph

    my $0.2 :)

    -- 
    shashank 
    +------------------------------------------------------------------------+
       How much net work could a network work, if a network could net work?
    +------------------------------------------------------------------------+
    


    Relevant Pages

    • RE: Active response... some thoughts.
      ... Subject: Active response... ... Netscreen IDS features TCP reset as a major feature of their ... between your attacker and your IDS, ... The attacker could modify his IP-stack such that resets are being ignored ...
      (Focus-IDS)
    • Re: Active response... some thoughts.
      ... It is good to remember that many IDS implementations send ... TCP RST to the two endpoints in the communication. ... the attacker can just simply hack his stack to igno ... stack such that resets are being ...
      (Focus-IDS)
    • Re: Active response... some thoughts.
      ... Subject: Active response... ... > drops the packet on the wire before it gets past the in-line IDS. ... Active-response is great if you have a signature for it ... the attacker can just simply hack his stack to ignore the ...
      (Focus-IDS)
    • RE: Active response... some thoughts.
      ... between your attacker and your IDS, ... of the IDS you have. ... Subject: AW: Active response... ... The attacker could modify his IP-stack such that resets are being ignored ...
      (Focus-IDS)
    • Re: Appeal for Help. NOT Code Red But Is It?
      ... our server immediately responds back to the prober ... What is happening is that the IDS is becomming confused about who the ... each worm that is still on its way from the attacker. ... > and outbound port was 2913. ...
      (Incidents)