I would agree in the many IDS installations I have either done or
monitored over the years the only real use of TCP reset that was useful
and willing to put in place by my customers was using it to kill network
games, IM connections for file transfers, and as a response to backdoor
traffic (depending on back door maybe useful or useless). I did have a
few that used it to prevent unauthorized FTP traffic as well, but for
what most people thing of attacks is definitely more of a Marketing
Buying criteria then a user criteria.

Blade Software Nominated In The 8th ANNUAL SC AWARDS
click on http://www.scmagazine.com/awards to vote
*******************************************************************

-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------

-----Original Message-----
From: Todd Heberlein [mailto:todd_heberleinmac.com]
Sent: Tuesday, January 28, 2003 3:25 PM
To: Garbrecht, Frederick
Cc: focus-idssecurityfocus.com
Subject: Re: Active response... some thoughts.

On Tuesday, January 28, 2003, at 08:31 AM, Garbrecht, Frederick wrote:

> ummmm, just a technical quibble, but a TCP reset wouldn't work with
the
> Sapphire worm because it propagates using UDP as transport, not
> TCP.....

It is just a minor quibble because the point is that the attack was
completely contained in a single packet. The same would have held true
if it was over a TCP/IP connection. Once the attack has been
completed, a TCP RST would provide no value. It is the proverbial
closing the barn doors after the horse is already out.

RST is largely a marketing solution, not a technical solution.

Todd

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]