RE: Active response... some thoughts.

From: Garbrecht, Frederick (FGarbrecht@ecogchair.org)
Date: 01/28/03

  • Next message: Jason Beauford: "WINDUMP SYNTAX ASSISTANCE....."
    From: "Garbrecht, Frederick" <FGarbrecht@ecogchair.org>
    To: "'Kohlenberg, Toby'" <toby.kohlenberg@intel.com>, mb_lima <mb_lima@uol.com.br>, RLos@enteredge.com
    Date: Tue, 28 Jan 2003 11:31:18 -0500
    
    

    ummmm, just a technical quibble, but a TCP reset wouldn't work with the
    Sapphire worm because it propagates using UDP as transport, not TCP.....

    Frederick Garbrecht, M.D., GSEC
    Coalition of National Cancer Cooperative Groups

    -----Original Message-----
    From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com]
    Sent: Monday, January 27, 2003 8:27 PM
    To: mb_lima; RLos@enteredge.com
    Cc: detmar.liesen@lds.nrw.de; abegetchell@qx.net;
    focus-ids@securityfocus.com
    Subject: RE: Active response... some thoughts.

    > -----Original Message-----
    > From: mb_lima [mailto:mb_lima@uol.com.br]
    > Sent: Monday, January 27, 2003 2:43 AM
    > Subject: RE: Active response... some thoughts.
    >
    > > popular nor, IMHO, effective strategy. First off, as the em
    > ail mentions
    > > below, the attacker can just simply hack his stack to ignore
    > the
    > > resets...hey, it's possible. Also, TCP-
    > Resets can create a storm of packets
    >
    > I donīt agree because TCP RST is sucessful to stop script
    > kiddies. Attacks more sofisticated are few and we know that
    > there are many ways to bypass IDS sensors (more easy ways).

    Actually, TCP resets don't work in many cases- for instance any
    situation where you have a single packet exploit (say the Saphire
    worm that just ran through the Net)... This is the same problem
    that router/firewall reconfiguration has- by the time the response
    happens, the compromise is done.

    toby