Re: Active response... some thoughts.

 Sangram,

   I think that this solution does not work very well. UDP is connectionless protocol and I think that many of these ICMP packets will be only descarted in destination because the malicious application will have finished after to send UDP packets. Regards,

  Marcelo

> TCP resets are not useful in the case UPD attacks are used;
wether small
> pipe or not. A different kind of active response may help. I
 think this can
> be obtained by implementing the ICMP echo "Port unreachable"
. This will give
> an attacker false information on state of UDP ports as the p
rocess of UDP
> scanning also relies on the same principle. What do u think?
tchell@qx.net>;
> <focus-ids@securityfocus.com>
lds.nrw.de;
> > > abegetchell@qx.net; focus-ids@securityfocus.com
> > > Subject: RE: Active response... some thoughts.
the Sa
> > > phire
> > > > worm that just ran through the Net)... This is the sam
e prob
> > > lem
> > > > that router/firewall reconfiguration has-
> > > by the time the response
> > > > happens, the compromise is done.
> > >
> > > I agree with you, but I think that in low bandiwith li
nks
> > > this is not a problem.
> > >
> > > Marcelo.
> > >
> > >
> > > ---
> > > UOL, o melhor da Internet
> > > http://www.uol.com.br/
> > >
> >
>
> *********************************************************
 

---
UOL, o melhor da Internet
http://www.uol.com.br/