|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Garbrecht, Frederick (FGarbrecht_at_ecogchair.org)
Date: Tue Jan 28 2003 - 10:31:18 CST
ummmm, just a technical quibble, but a TCP reset wouldn't work with the
Sapphire worm because it propagates using UDP as transport, not TCP.....
Frederick Garbrecht, M.D., GSEC
Coalition of National Cancer Cooperative Groups
-----Original Message-----
From: Kohlenberg, Toby [mailto:toby.kohlenberg
intel.com]
Sent: Monday, January 27, 2003 8:27 PM
To: mb_lima; RLosenteredge.com
Cc: detmar.liesenlds.nrw.de; abegetchellqx.net;
focus-idssecurityfocus.com
Subject: RE: Active response... some thoughts.
> -----Original Message-----
> From: mb_lima [mailto:mb_limauol.com.br]
> Sent: Monday, January 27, 2003 2:43 AM
> Subject: RE: Active response... some thoughts.
>
> > popular nor, IMHO, effective strategy. First off, as the em
> ail mentions
> > below, the attacker can just simply hack his stack to ignore
> the
> > resets...hey, it's possible. Also, TCP-
> Resets can create a storm of packets
>
> I donīt agree because TCP RST is sucessful to stop script
> kiddies. Attacks more sofisticated are few and we know that
> there are many ways to bypass IDS sensors (more easy ways).
Actually, TCP resets don't work in many cases- for instance any
situation where you have a single packet exploit (say the Saphire
worm that just ran through the Net)... This is the same problem
that router/firewall reconfiguration has- by the time the response
happens, the compromise is done.
toby
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]