On Mon, 2003-01-27 at 19:26, Kohlenberg, Toby wrote:

> Actually, TCP resets don't work in many cases- for instance any
> situation where you have a single packet exploit (say the Saphire
> worm that just ran through the Net)... This is the same problem
> that router/firewall reconfiguration has- by the time the response
> happens, the compromise is done.

In regards to firewall/router reconfig:
Yeah, the damage is done and reconfiguring firewalls don't help
'prevent' that attack, but they can help 'contain' that attack. For
example, the firewall can be reconfigured to deny any traffic to and
from that attacked device. While in this worm scenario it only prevents
the infected host from flooding the Internet, and perhaps internal
network, it doesn't prevent other infected hosts on the local segment
from flooding out (unless your IDS/firewall tandem is configured in a
smart way1), it does work very well on normal backdoor and bo attacks.
Even in this scenario the host gets compromised, but the connection to
the attacker is then cut off by the firewall and the rooted system is
contained through firewall rules.

Regards,
Frank

[1] Smart way could be denying all packets of the same service crossing
the firewall. That would prevent other, locally infected, hosts from
flooding out.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQA+OAqTpo+MRgtrF98RAu3+AKDN2zE74jlUamJDp3KfZidSLC0towCgxh9R
jfCsMl5Uc0RTse8TvdLsJEw=
=etdZ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]