|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Crist Clark (crist.clark
GLOBALSTAR.COM)Date: Fri Jan 19 2001 - 12:45:03 CST
Birk Richter wrote:
>
> Hello,
>
> the ISS RealSecure Network Engine has the
> possibilty to respond to detected attacks with
> a RST-TCP-packet (RS-Kill).
In general, a self-DOS waiting to happen.
> my questions are:
>
> To which IP-Dest addresses RealSecure sends
> the RS-Kill (server or client or both) ?
I don't know for sure with this product, but typically, if there
is an established TCP connection the RST's go in both directions.
If not, the potential for a self-DOS is even greater.
> Which MAC-Src address RealSecure uses for
> building the RS-Kill (the own or faked for
> server, client (router)) ?
>
> If RealSecure uses the own MAC then you have
> false entries in the arp cache of router/switch.
You do? Why? At what point is the RealSecure machine responding
to an ARP query?
> If RealSecure uses faked MAC for server or client
> then you have false entries in the bridging table
> of the switch.
Again, when it it going to be responding to an ARP query? It is
only going to be sending, never receiving (except in a promiscuous
mode which has no impact on your ARP tables).
> Exist any solutions for this (potential) problem ?
I do not see a problem.
-- Crist J. Clark Network Security Engineer crist.clark
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]