Re: Active response... some thoughts.

From: Scott Wimer (scottw@cylant.com)
Date: 02/03/03

Next message: Lance Spitzner: "Re: snort-inline inbound ruleset?"

Previous message: Scott Wimer: "Re: Costs of a compromise related to the detection time"
In reply to: Chris Travers: "Re: Active response... some thoughts."
Next in thread: Ali Saifullah Khan: "Re: Active response... some thoughts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 03 Feb 2003 09:16:45 -0800
From: Scott Wimer <scottw@cylant.com>
To: Chris Travers <chris@travelamericas.com>

Chris,

A local version of this is one of the available policy actions in our
host based IPS product. However, because this has the potential to be
abused and turn an IPS into a denial of service product, we recommend
against using blanket "drop all traffice from the offending IP"
actions. Just as effective but less risky is dropping all packets
from that IP with the same remote and local port values (or if it's a
TCP session, all packets for that session).

One downside to this approach is that it seems like it would be a bit
difficult to implement remotely. Mmm... actually, if you were to take
the IP countermeasure code from KIP (http://kip.sf.net/) and just use
the the IP stack hooking and countermeasure code building a router on
top of FreeBSD or Linux that allowed this to be controlled remotely
wouldn't be that difficult. Interesting idea. We might have to play
around with that when we get some spare time -- probably in 2015. :(

Regards,
scottwimer

Chris Travers wrote:
> Hi--
>
> I had an additional idea relating to quasi-active response. For example--
>
> An IDS could have hooks into a routers filtering tables in order to
> temporarily ban that IP address. This has the advantage of the RST in
> that all inbound traffic from the attacker would be stopped, but would
> create less traffic on the gateway than a RST would. Additionally this
> could also be used against connectionless protocols such as UDP and ICMP.
>
> It is more flexible, could be implimented on a timer to minimize the
> damage of false alarms, etc.
>
> Best Wishes,
> Chris

-- 
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 850-4454                        Moscow, ID 83843
There is no Security without Control.

Next message: Lance Spitzner: "Re: snort-inline inbound ruleset?"
Previous message: Scott Wimer: "Re: Costs of a compromise related to the detection time"
In reply to: Chris Travers: "Re: Active response... some thoughts."
Next in thread: Ali Saifullah Khan: "Re: Active response... some thoughts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]