RE: IDS that retaliates.

From: Michael Lindsay (mlindsay@symantec.com)
Date: 03/05/02 

To: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
From: "Michael Lindsay" <mlindsay@symantec.com>
Date: Wed, 6 Mar 2002 07:56:52 +1000

Replying to spoofed packed with an attack could have nasty consequences.
If someone spoofed packets with a source address belonging to a bank, and
you initated a response that attacked the bank, what might happen then? :)

Mike Lindsay

                                                                                                                                           
                      "McCammon, Keith"
                      <Keith.McCammon@eadva To: <charles.skoglund@om.com>, <security-basics@securityfocus.com>,
                      ncemed.com> <focus-ids@securityfocus.com>
                                                   cc:
                      06/03/2002 07:00 AM Subject: RE: IDS that retaliates.
                                                                                                                                           
                                                                                                                                           

This is generally referred to as Active Response. In most cases
(commercial IDS), this involves the IDS sending TCP RST packets to both
ends of the connection so that the connection is destroyed and cleared
from the buffers. This is also the extent to which most
commercially-available IDSs "retaliate." Snort does this, as do ISS and
several other popular systems.

Now if you're referring to launching counter-attacks or similar
offensives in response to alerts, this isn't going to go mainstream in
the near future. There are a number of reasons for this, but most
notably is the fact that (in the U.S., anyway) intrusive retaliation is,
technically, every bit as illegal as the act that provoked it in the
first place.

I, too, have heard of government and defense projects that are
developing (and refining) intrusive response of technology, but realize
that the details of such systems would not likely be publicized.

Relevant Pages

  • Re: OT - Cyber Crime
    ... A planned terrorist attack using ... The concept of bank robbery, as evidently happened in the US a few ... is certainly the stuff of novels. ...
    (rec.arts.mystery)
  • [Full-disclosure] Bank of America SiteKeys ineffective?
    ... While I applaud Bank of America for being the first to take serious steps to ... SiteKey only elimintes one class of attack - the simple web ... If your bank uses a discount certificate issuer that you don't ...
    (Full-Disclosure)
  • Re: Muslim shithead gets life in prison
    ... limos packed with gas tanks, napalm and nails, and plotted to attack the ... New York Stock Exchange and the World Bank was sentenced on Tuesday to ... life in prison. ...
    (alt.religion.islam)
  • Re: U.S. missile shield is provocation: Austrian minister
    ... Perhaps he should walk into a bank with full body armor and a pistol ... The police and the banks aren't threatened by the missile shield. ... when a third party says that it's provoking some ... never been known to attack other soverign countries without being attacked ...
    (misc.survivalism)
  • Re: Firewall-1 and ISA D.o.S.
    ... When you stop the attack, the firewall recovers, but ... think that in the case of ISA D.o.S. ... spoofed packets so it will be more difficult to find the ...
    (Vuln-Dev)
Quantcast