IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Active response... some thoughts.

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 28 Jan 2003 09:55:37 -0800
Why not? Packets travel quickly even on small pipes...
If a block takes 3 seconds to implement, how many packets
will have gone by, even on a small link? It has been a
long time since I saw a link that couldn't handle enough
packets per second to get a nasty backdoor loaded in less
than 3 seconds..

toby


-----Original Message-----
From: mb_lima [mailto:mb_lima () uol com br]
Sent: Tuesday, January 28, 2003 8:39 AM
To: FGarbrecht () ecogchair org
Cc: Kohlenberg, Toby; RLos () enteredge com; detmar.liesen () lds nrw de;
abegetchell () qx net; focus-ids () securityfocus com
Subject: RE: Active response... some thoughts.



 Toby,


Actually, TCP resets don't work in many cases-

 for instance any

situation where you have a single packet exploit (say the Sa

phire

worm that just ran through the Net)... This is the same prob

lem

that router/firewall reconfiguration has-

 by the time the response

happens, the compromise is done.


  I agree with you, but I think that in low bandiwith links 
this is not a problem.

   Marcelo. 

 
---
UOL, o melhor da Internet
http://www.uol.com.br/
Previous By Date Next
Previous By Thread Next

Current thread: