RE: Cisco PIX firwalls..

[Joe Smith <shadowm4n () yahoo com>]

I'm not sure about this, but I think I'd disagree with
you.

Flexresp responds to a "react" rule with either an
icmp-unreachable or a reset packet.  Inside the reset
is an acknowledgement number associated with the
sequence it received from the previous packet.  In
order to do a spoofed source/DoS attack, you'd have to
flood the network not only with the correct IP and
port, but also sequence/ack number (incidentally, the
sequence number is 32 bits, or 2^32 number of possible
combinations, I imagine it would take some time to
generate all possible combinations of packets
necessary to ensure the connection is torn down).

In short, as long as flexresp were left in its default
configuration of rst-snd (i.e., only send resets to
the source IP), I'm thinking it wouldn't cause
significant issues in an attempted TCP DoS.

Just a thought...

Joe

-----Original Message-----
From: counter.spy () gmx de [mailto:counter.spy () gmx de]
Sent: Monday, April 15, 2002 2:28 PM
To: erek () theadamsfamily net
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Cisco PIX firwalls..


I dont know if anyone is interested in a newbies
opinion :)

But I would like to tell you that I _completely_ agree
with Erek.
Firstly I need to tell that I was very fond of active
response mechanisms 
 _before_ I tested those. It seemed to be a cool
thing.
What I found out:
You can run in a _hell_ of problems using active
response mechanisms.
An example:
Take a RealSecure Server Sensor with default
Windows_Maximum signatures.
If an attack occurs that triggers a blocking rule, the
attacking host will
be blocked for half an hour. 
Okay, if I send fake attacks with spoofed IPs I can
even prevent the admins
to connect to their machines or prevent the IDS
components to be connected to
by the console :(

Another example - active Firewall reconfiguration.
> From what I know, you can only block an IP address or
a service.
Wanna DOS a service? If a site uses active Firewall
reconfiguration
you simply have to send lots and lots of spoofed
attacks and the whole
damned
Internet will be unable to connect to the site (okay,
maybe this is somewhat
exaggerated, but you *really* can generate a lot of
trouble).

But this is just my humble opinion and, as I said - I
am a newbie and maybe
I just did not configure my IDS properly - well it
should not have such
default settings in the first place.

BTW: I will *not* recommend usage of active response
in my diploma thesis.
It's so difficult to keep track of those blocking
rules.

IDS is expensive and you usually have a hard time
justifying that you need
xxxxx$ again
for additional Sensors and stuff. So if you _ever_
cause network problems
because your IDS blocks legitimate connections for
whatever reason, your job
will get a lot more unpleasent for you and you can
forget that additional money
you need for your IDS ;)

Greetings,
D. Liesen



Erek spoke:

<flailing robot arms>

      DANGER!  DANGER!  DANGER WILL ROBINSON!  [0]

</flailing robot arms>


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users