RE: Active response... some thoughts.

["Garbrecht, Frederick" <FGarbrecht () ecogchair org>]

ummmm, just a technical quibble, but a TCP reset wouldn't work with the
Sapphire worm because it propagates using UDP as transport, not TCP.....

Frederick Garbrecht, M.D., GSEC
Coalition of National Cancer Cooperative Groups


-----Original Message-----
From: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com]
Sent: Monday, January 27, 2003 8:27 PM
To: mb_lima; RLos () enteredge com
Cc: detmar.liesen () lds nrw de; abegetchell () qx net;
focus-ids () securityfocus com
Subject: RE: Active response... some thoughts.


> -----Original Message-----
> From: mb_lima [mailto:mb_lima () uol com br]
> Sent: Monday, January 27, 2003 2:43 AM
> Subject: RE: Active response... some thoughts.
>
> > popular nor, IMHO, effective strategy.  First off, as the em
> ail mentions
> > below, the attacker can just simply hack his stack to ignore
>  the
> > resets...hey, it's possible.  Also, TCP-
> Resets can create a storm of packets
>
>  I don´t agree because TCP RST is sucessful to stop script 
> kiddies. Attacks more sofisticated are few and we know that 
> there are many ways to bypass IDS sensors (more easy ways).

Actually, TCP resets don't work in many cases- for instance any
situation where you have a single packet exploit (say the Saphire
worm that just ran through the Net)... This is the same problem
that router/firewall reconfiguration has- by the time the response
happens, the compromise is done.

toby