RE: Active response... some thoughts.

From: Shashank Rai (shashrai@emirates.net.ae)
Date: 01/27/03

  • Next message: Alan Shimel: "RE: Active response... some thoughts."
    Date: Mon, 27 Jan 2003 08:17:49 +0400
    From: Shashank Rai <shashrai@emirates.net.ae>
    To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com>
    
    

    On Fri, 2003-01-24 at 21:38, Ralph Los wrote:
    > First off, as the email mentions below, the attacker can just simply hack his stack to ignore the
    > resets...hey, it's possible.
    possible, but will not be effective (ofcourse depending upon the IDS one
    has). For eg, in case of ISS, the IDS sends a RST packet to the attacker
    as well as the target. Hence, even if the attacker ignores the RST and
    continues to send packets, the target will not be responding to it,
    because for it the connection has already been broken.

    > Also, TCP-Resets can create a storm of packets
    > between your attacker and your IDS, effectively decreasing the effectiveness
    > of the IDS you have.
    well, this is what exactly "stick" does. It creates a "storm of
    packets". I have personally played with this tool against ISS and CISCO
    IDS (Netranger ??). The idea was to send attacks specific to the target
    along with this storm. It worked well with the CISCO IDS and it did
    alllow certain attacks to get through, but it was useless against ISS
    (ofcourse this also depends upon a lot of other factors, such as how big
    is the pipe you are attacking from. How big is pipe the target is stting
    on). And, during this primitive IDS evasion techniqe there was hardly
    any difference in the normal funtionality of the target.
    But as i mentioned earlier, if you are on a fatter pipe than the target,
    you can easily choke it up with the packet flood.

    > Just my personal, very humble opinion
    > Ralph

    my $0.2 :)

    -- 
    shashank 
    +------------------------------------------------------------------------+
       How much net work could a network work, if a network could net work?
    +------------------------------------------------------------------------+