Re: Active response... some thoughts.

From: Thomas H. Ptacek (tqbf@pobox.com)
Date: 02/04/03

  • Next message: Michael L. Artz: "Protocol Anomaly Detection IDS"
    Date: Tue, 04 Feb 2003 12:57:42 -0500
    From: "Thomas H. Ptacek" <tqbf@pobox.com>
    To: Chris Travers <chris@travelamericas.com>
    
    

    On 1/31/03 1:22 PM, "Chris Travers" <chris@travelamericas.com> wrote:

    > An IDS could have hooks into a routers filtering tables in order to
    > temporarily ban that IP address. This has the advantage of the RST in
    > that all inbound traffic from the attacker would be stopped, but would

    ACL countermeasures are generally avoided because it is hard to make them
    fail safely. It is not easy to push soft-state ACLs to Cisco and Juniper
    routers; the risk that the IDS could get desynchronized from the filter is
    large.