IDS mailing list archives
RE: Active response... some thoughts.
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 7 Feb 2003 15:48:44 -0500
More to the point, if you manage to send such a thing as a UDP packet with the RST flag set, without making the system at the other end go "Say WHAT???" let me know :)
-----Original Message----- From: fr0ck9 [mailto:fr0ck9 () yahoo com] Sent: Wednesday, February 05, 2003 5:42 PM To: focus-ids () securityfocus com Subject: Re: Active response... some thoughts. Being that UDP is connectionless, a rst will not have an effect. If the IDS has the ability to do an ICMP Unreachable, then you might be able to affect the attacking device. -----Original Message----- From: Ali Saifullah Khan [mailto:ali_saifullah () hotmail com] Sent: Monday, February 03, 2003 2:18 PM To: focus-ids () securityfocus com Subject: Re: Active response... some thoughts. Todd's question still remains. I'm sure you tried to clear it out, but does a "TCP" RST have any effect on "UDP"-oriented connections ? We're dealing with 2 different protocols here. The protocol behind the RST packet being TCP raises the previous question, and that's what we're trying to figure out here. ----- Original Message ----- From: mb_lima <mb_lima () uol com br> To: <b_paul_palmer () yahoo com> Cc: <focus-ids () securityfocus com> Sent: Friday, January 31, 2003 9:34 PM Subject: Re: Active response... some thoughts.Hi Paul, It is perfect your explanation, but an attackercan createways to keep a sensor busy enough so that "if thesensor isfast enough" is not true. But I agree with you. TCPRST worksfine for me. Best Regards, MarceloActually, TCP RST is more than just a marketing solution. In practice, if the sensor is fastenough, aTCP RST can and often will prevent even singlepacketattacks. Here is why... A TCP RST does not cause orderly connection termination. It causes immediate connection termination. That is, the protocol stack is not required to deliver pending data and typicallydoesnot. If you also take into consideration that onmostoperating systems, applications are not dispatchedimmediately uponarrival of new data, there is a window of opportunity for the protocol stack to receive and process the RST even before the application can read the previously received datafromthe single packet attack! On most operating systems, when a process is moved from a wait queue to the run queue, it is notgivenimmediate control of the CPU unless it has a "realtime" priority or the run queue is completely empty. Therefore, it will on average have to waithalfa time slice before it can read its data. Atypicaltime slice is 10ms. If the IDS can get the RSTsent inunder 5ms, it can often stop a single packetattack.The odds go up if the IDS is faster or the serverisbusy.On Tuesday, January 28, 2003, at 08:31 AM,Garbrecht,Frederick wrote:ummmm, just a technical quibble, but a TCPresetwouldn't work with theSapphire worm because it propagates using UDPastransport, notTCP.....It is just a minor quibble because the point isthatthe attack wascompletely contained in a single packet. The samewould have held trueif it was over a TCP/IP connection. Once theattackhas beencompleted, a TCP RST would provide no value. Itisthe proverbialclosing the barn doors after the horse is alreadyout.RST is largely a marketing solution, not atechnicalsolution.Todd__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign upnow.http://mailplus.yahoo.com--- UOL, o melhor da Internet http://www.uol.com.br/__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Current thread:
- Re: Active response... some thoughts., (continued)
- Re: Active response... some thoughts. Chris Travers (Feb 03)
- Re: Active response... some thoughts. Scott Wimer (Feb 05)
- Re: Active response... some thoughts. Thomas H. Ptacek (Feb 05)
- Re: Active response... some thoughts. Chris Travers (Feb 05)
- RE: Active response... some thoughts. Pete Herzog (Feb 06)
- Re: Active response... some thoughts. Chris Travers (Feb 03)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. SecurityFocus (Feb 10)
- RE: Active response... some thoughts. Ralph Los (Feb 07)
- Re: Active response... some thoughts. andre (Feb 08)
- Re: Active response... some thoughts. Frank Knobbe (Feb 10)
- RE: Active response... some thoughts. Rob Shein (Feb 11)
- Re: Active response... some thoughts. andre (Feb 08)