RE: Active response... some thoughts.

From: Brian Laing <Brian.Laing(at)blade-software.com>
Date: Wed Jan 29 2003 - 13:12:15 EST

I would agree in the many IDS installations I have either done or monitored over the years the only real use of TCP reset that was useful and willing to put in place by my customers was using it to kill network games, IM connections for file transfers, and as a response to backdoor traffic (depending on back door maybe useful or useless). I did have a few that used it to prevent unauthorized FTP traffic as well, but for what most people thing of attacks is definitely more of a Marketing Buying criteria then a user criteria.

Blade Software Nominated In The 8th ANNUAL SC AWARDS click on http://www.scmagazine.com/awards to vote

---

---

Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com

---

-----Original Message-----
From: Todd Heberlein [mailto:todd_heberlein@mac.com] Sent: Tuesday, January 28, 2003 3:25 PM
To: Garbrecht, Frederick
Cc: focus-ids@securityfocus.com
Subject: Re: Active response... some thoughts.

On Tuesday, January 28, 2003, at 08:31 AM, Garbrecht, Frederick wrote:

> ummmm, just a technical quibble, but a TCP reset wouldn't work with
the
> Sapphire worm because it propagates using UDP as transport, not
> TCP.....
It is just a minor quibble because the point is that the attack was completely contained in a single packet. The same would have held true if it was over a TCP/IP connection. Once the attack has been completed, a TCP RST would provide no value. It is the proverbial closing the barn doors after the horse is already out.

RST is largely a marketing solution, not a technical solution.

Todd Received on Thu Jan 30 15:03:48 2003