RE: Active response... some thoughts.

From: Garbrecht, Frederick (
Date: 01/28/03

  • Next message: Jason Beauford: "WINDUMP SYNTAX ASSISTANCE....."
    From: "Garbrecht, Frederick" <>
    To: "'Kohlenberg, Toby'" <>, mb_lima <>,
    Date: Tue, 28 Jan 2003 11:31:18 -0500

    ummmm, just a technical quibble, but a TCP reset wouldn't work with the
    Sapphire worm because it propagates using UDP as transport, not TCP.....

    Frederick Garbrecht, M.D., GSEC
    Coalition of National Cancer Cooperative Groups

    -----Original Message-----
    From: Kohlenberg, Toby []
    Sent: Monday, January 27, 2003 8:27 PM
    To: mb_lima;
    Subject: RE: Active response... some thoughts.

    > -----Original Message-----
    > From: mb_lima []
    > Sent: Monday, January 27, 2003 2:43 AM
    > Subject: RE: Active response... some thoughts.
    > > popular nor, IMHO, effective strategy. First off, as the em
    > ail mentions
    > > below, the attacker can just simply hack his stack to ignore
    > the
    > > resets...hey, it's possible. Also, TCP-
    > Resets can create a storm of packets
    > I donīt agree because TCP RST is sucessful to stop script
    > kiddies. Attacks more sofisticated are few and we know that
    > there are many ways to bypass IDS sensors (more easy ways).

    Actually, TCP resets don't work in many cases- for instance any
    situation where you have a single packet exploit (say the Saphire
    worm that just ran through the Net)... This is the same problem
    that router/firewall reconfiguration has- by the time the response
    happens, the compromise is done.