Re: Active response... some thoughts.

From: Scott Wimer (scottw@cylant.com)
Date: 02/03/03

  • Next message: Lance Spitzner: "Re: snort-inline inbound ruleset?"
    Date: Mon, 03 Feb 2003 09:16:45 -0800
    From: Scott Wimer <scottw@cylant.com>
    To: Chris Travers <chris@travelamericas.com>
    
    

    Chris,

    A local version of this is one of the available policy actions in our
    host based IPS product. However, because this has the potential to be
    abused and turn an IPS into a denial of service product, we recommend
    against using blanket "drop all traffice from the offending IP"
    actions. Just as effective but less risky is dropping all packets
    from that IP with the same remote and local port values (or if it's a
    TCP session, all packets for that session).

    One downside to this approach is that it seems like it would be a bit
    difficult to implement remotely. Mmm... actually, if you were to take
    the IP countermeasure code from KIP (http://kip.sf.net/) and just use
    the the IP stack hooking and countermeasure code building a router on
    top of FreeBSD or Linux that allowed this to be controlled remotely
    wouldn't be that difficult. Interesting idea. We might have to play
    around with that when we get some spare time -- probably in 2015. :(

    Regards,
    scottwimer

    Chris Travers wrote:
    > Hi--
    >
    > I had an additional idea relating to quasi-active response. For example--
    >
    > An IDS could have hooks into a routers filtering tables in order to
    > temporarily ban that IP address. This has the advantage of the RST in
    > that all inbound traffic from the attacker would be stopped, but would
    > create less traffic on the gateway than a RST would. Additionally this
    > could also be used against connectionless protocols such as UDP and ICMP.
    >
    > It is more flexible, could be implimented on a timer to minimize the
    > damage of false alarms, etc.
    >
    > Best Wishes,
    > Chris

    -- 
    Scott M. Wimer, CTO                      Cylant
    www.cylant.com                           121 Sweet Ave.
    v. (208) 883-4892                        Suite 123
    c. (208) 850-4454                        Moscow, ID 83843
    There is no Security without Control.