RE: Active response... some thoughts.

From: Brian Laing (Brian.Laing@Blade-Software.com)
Date: 01/29/03

  • Next message: mb_lima: "Re: Active response... some thoughts." 
    From: "Brian Laing" <Brian.Laing@Blade-Software.com>
To: "'Todd Heberlein'" <todd_heberlein@mac.com>, "'Garbrecht, Frederick'" <FGarbrecht@ecogchair.org>
Date: Wed, 29 Jan 2003 10:12:15 -0800

    I would agree in the many IDS installations I have either done or
    monitored over the years the only real use of TCP reset that was useful
    and willing to put in place by my customers was using it to kill network
    games, IM connections for file transfers, and as a response to backdoor
    traffic (depending on back door maybe useful or useless). I did have a
    few that used it to prevent unauthorized FTP traffic as well, but for
    what most people thing of attacks is definitely more of a Marketing
    Buying criteria then a user criteria.

    Blade Software Nominated In The 8th ANNUAL SC AWARDS
    click on http://www.scmagazine.com/awards to vote
    *******************************************************************

    -------------------------------------------------------------------
    Brian Laing
    CTO
    Blade Software
    Cellphone: +1 650.280.2389
    Telephone: +1 650 367.9376
    eFax: +1 208.575.1374
    Blade Software - Because Real Attacks Hurt
    http://www.Blade-Software.com
    -------------------------------------------------------------------

    -----Original Message-----
    From: Todd Heberlein [mailto:todd_heberlein@mac.com]
    Sent: Tuesday, January 28, 2003 3:25 PM
    To: Garbrecht, Frederick
    Cc: focus-ids@securityfocus.com
    Subject: Re: Active response... some thoughts.

    On Tuesday, January 28, 2003, at 08:31 AM, Garbrecht, Frederick wrote:

    > ummmm, just a technical quibble, but a TCP reset wouldn't work with
    the
    > Sapphire worm because it propagates using UDP as transport, not
    > TCP.....

    It is just a minor quibble because the point is that the attack was
    completely contained in a single packet. The same would have held true
    if it was over a TCP/IP connection. Once the attack has been
    completed, a TCP RST would provide no value. It is the proverbial
    closing the barn doors after the horse is already out.

    RST is largely a marketing solution, not a technical solution.

    Todd

    Relevant Pages

    • Re: Active response... some thoughts.
      ... > ummmm, just a technical quibble, but a TCP reset wouldn't work with the ... a TCP RST would provide no value. ... RST is largely a marketing solution, ...
      (Focus-IDS)
    • Re: Network hardware IPS
      ... Thanks for the information, Cory, that was really insightful. ... > |Why isn't TCP reset a preferred method of blocking? ... Captus Networks IPS 4000 ... - Instantly Stop DoS/DDoS Attacks, ...
      (Focus-IDS)
    • Re: Network hardware IPS
      ... |Why isn't TCP reset a preferred method of blocking? ... a reliable security mechanism (exactly as claimed in the snort ... Also many attacks are too short for a TCP reset to be effective or the ...
      (Focus-IDS)
    • Re: How to stop OE6 from multithreading on the news server? - another problem
      ... Hi Robert... ... While I chew on your latest reply, do you think "TCP Reset ... Attacks" might have something to do with this? ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)