|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sangram (sangram_at_mahindrabt.com)
Date: Tue Jan 28 2003 - 22:03:23 CST
TCP resets are not useful in the case UPD attacks are used; wether small
pipe or not. A different kind of active response may help. I think this can
be obtained by implementing the ICMP echo "Port unreachable". This will give
an attacker false information on state of UDP ports as the process of UDP
scanning also relies on the same principle. What do u think?
----- Original Message -----
From: Kohlenberg, Toby <toby.kohlenberg
intel.com>
To: mb_lima <mb_limauol.com.br>; <FGarbrechtecogchair.org>
Cc: <RLosenteredge.com>; <detmar.liesenlds.nrw.de>; <abegetchellqx.net>;
<focus-idssecurityfocus.com>
Sent: Wednesday, January 29, 2003 12:58 AM
Subject: RE: Active response... some thoughts.
> Why not? Packets travel quickly even on small pipes...
> If a block takes 3 seconds to implement, how many packets
> will have gone by, even on a small link? It has been a
> long time since I saw a link that couldn't handle enough
> packets per second to get a nasty backdoor loaded in less
> than 3 seconds..
>
> toby
>
> > -----Original Message-----
> > From: mb_lima [mailto:mb_limauol.com.br]
> > Sent: Tuesday, January 28, 2003 8:39 AM
> > To: FGarbrechtecogchair.org
> > Cc: Kohlenberg, Toby; RLosenteredge.com; detmar.liesenlds.nrw.de;
> > abegetchellqx.net; focus-idssecurityfocus.com
> > Subject: RE: Active response... some thoughts.
> >
> >
> >
> > Toby,
> >
> > > Actually, TCP resets don't work in many cases-
> > for instance any
> > > situation where you have a single packet exploit (say the Sa
> > phire
> > > worm that just ran through the Net)... This is the same prob
> > lem
> > > that router/firewall reconfiguration has-
> > by the time the response
> > > happens, the compromise is done.
> >
> > I agree with you, but I think that in low bandiwith links
> > this is not a problem.
> >
> > Marcelo.
> >
> >
> > ---
> > UOL, o melhor da Internet
> > http://www.uol.com.br/
> >
>
*********************************************************
Disclaimer
This message (including any attachments) contains
confidential information intended for a specific
individual and purpose, and is protected by law.
If you are not the intended recipient, you should
delete this message and are hereby notified that
any disclosure, copying, or distribution of this
message, or the taking of any action based on it,
is strictly prohibited.
*********************************************************
Visit us at http://www.mahindrabt.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]