|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kohlenberg, Toby (toby.kohlenberg_at_intel.com)
Date: Mon Jan 27 2003 - 19:26:59 CST
> -----Original Message-----
> From: mb_lima [mailto:mb_lima
uol.com.br]
> Sent: Monday, January 27, 2003 2:43 AM
> Subject: RE: Active response... some thoughts.
>
> > popular nor, IMHO, effective strategy. First off, as the em
> ail mentions
> > below, the attacker can just simply hack his stack to ignore
> the
> > resets...hey, it's possible. Also, TCP-
> Resets can create a storm of packets
>
> I donīt agree because TCP RST is sucessful to stop script
> kiddies. Attacks more sofisticated are few and we know that
> there are many ways to bypass IDS sensors (more easy ways).
Actually, TCP resets don't work in many cases- for instance any
situation where you have a single packet exploit (say the Saphire
worm that just ran through the Net)... This is the same problem
that router/firewall reconfiguration has- by the time the response
happens, the compromise is done.
toby
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]