Hosting Provided By

RE: Active response... some thoughts.

From: Rob Shein <shoten(at)starpower.net>
Date: Thu Jan 30 2003 - 12:17:14 EST

I am having a hard time imagining a decent hacker who is allowing inbound and unsolicited ICMP. Furthermore, if a hacker can be assumed to be capable of potentially ignoring RSTs (using a hacked stack), I cannot imagine how ignoring the ICMP would be anything but trivial. Also, this goes back to them being able to determine the presence of active response IDS, as they probably already know that the host/port exists...and even if not, what happens when they get the "port unreachable" AND the valid response from the port?

> -----Original Message-----
> From: Sangram [mailto:sangram@mahindrabt.com]
> Sent: Tuesday, January 28, 2003 11:02 PM
Received on Fri Jan 31 11:36:55 2003

This message: [ Message body ]
Next message: Shaiful: "Re: Snort-Inline and worm containment"
Previous message: Rob Shein: "RE: Snort-Inline and worm containment"
In reply to: Sangram: "Re: Active response... some thoughts."
In reply to Talisker: "Re: Active response... some thoughts."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT