RE: Active response... some thoughts.

Gents,

        I'm going to go out on a limb here...I'm trying to aggregate answers. Here's what sounds logical to me:

• Active-Response (on-the-wire drop) is appropriate if you've got an in-line sensor that's tuned to detect signature-based attacks
• TCP-RST is best implemented (and wholly appropriate) in spanning-port situations (or a tap) where you have a race-condition for the attention of the receiving stacks.

Does this sum it up pretty well? If not, some correct me?

/Ralph/

-----Original Message-----
From: Pete Herzog [mailto:lists@isecom.org] Sent: Thursday, February 06, 2003 9:54 AM To: Chris Travers; Thomas H. Ptacek
Cc: Focus-IDS
Subject: RE: Active response... some thoughts.

Chris,

Not just poorly implemented IDS but spoofed packets as well. How does an active IDS differentiate and if it can't is it possible to do the old CHARGEN - ECHO trick using the IDS of different companies to start sending RST packets at ever increasing rates against each other? If the IDS would even respond to RST floods (would be stupid I suppose)....

I have tested networks with Active IDS and the only problem I found was when the IDS actually blocked my I at the router. The tester then has to ensure that the IDS has been told who to cut off and who not to and for how long. Otherwise, it's too easy to spoof packets and DoS for legitimate traffic and providers. The question then becomes is the service more or less valuable than the security of that service?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Active IDS just does not work with Usability in my opinion. Too many things can and do go wrong which will make legitimate users and the service offered to them to be inconvenienced.

Sincerely,
-pete.
www.isecom.org

-----Original Message-----
From: Chris Travers [mailto:chris@travelamericas.com] Sent: Wednesday, February 05, 2003 8:16 AM To: Thomas H. Ptacek
Cc: Focus-IDS
Subject: Re: Active response... some thoughts.

Thomas;

I was also thinking about a liability from a poorly implimented system being able to be used to DOS an address by spoofing packets from that address.

I guess I come back to advocating passive solutions primarily.

Best Wishes,
Chris Travers

Thomas H. Ptacek wrote:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>On 1/31/03 1:22 PM, "Chris Travers" <chris@travelamericas.com> wrote:
Received on Fri Feb 7 22:40:49 2003