|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: mb_lima (mb_lima_at_uol.com.br)
Date: Wed Jan 29 2003 - 12:45:39 CST
Sangram,
I think that this solution does not work very well. UDP is
connectionless protocol and I think that many of these ICMP
packets will be only descarted in destination because the
malicious application will have finished after to send UDP
packets. Regards,
Marcelo
> TCP resets are not useful in the case UPD attacks are used;
wether small
> pipe or not. A different kind of active response may help. I
think this can
> be obtained by implementing the ICMP echo "Port unreachable"
. This will give
> an attacker false information on state of UDP ports as the p
rocess of UDP
> scanning also relies on the same principle. What do u think?
>
> ----- Original Message -----
> From: Kohlenberg, Toby <toby.kohlenberg
intel.com>
> To: mb_lima <mb_limauol.com.br>; <FGarbrechtecogchair.org>
> Cc: <RLosenteredge.com>; <detmar.liesenlds.nrw.de>; <abege
tchellqx.net>;
> <focus-idssecurityfocus.com>
> Sent: Wednesday, January 29, 2003 12:58 AM
> Subject: RE: Active response... some thoughts.
>
> > Why not? Packets travel quickly even on small pipes...
> > If a block takes 3 seconds to implement, how many packets
> > will have gone by, even on a small link? It has been a
> > long time since I saw a link that couldn't handle enough
> > packets per second to get a nasty backdoor loaded in less
> > than 3 seconds..
> >
> > toby
> >
> > > -----Original Message-----
> > > From: mb_lima [mailto:mb_limauol.com.br]
> > > Sent: Tuesday, January 28, 2003 8:39 AM
> > > To: FGarbrechtecogchair.org
> > > Cc: Kohlenberg, Toby; RLosenteredge.com; detmar.liesen
lds.nrw.de;
> > > abegetchellqx.net; focus-idssecurityfocus.com
> > > Subject: RE: Active response... some thoughts.
> > >
> > >
> > >
> > > Toby,
> > >
> > > > Actually, TCP resets don't work in many cases-
> > > for instance any
> > > > situation where you have a single packet exploit (say
the Sa
> > > phire
> > > > worm that just ran through the Net)... This is the sam
e prob
> > > lem
> > > > that router/firewall reconfiguration has-
> > > by the time the response
> > > > happens, the compromise is done.
> > >
> > > I agree with you, but I think that in low bandiwith li
nks
> > > this is not a problem.
> > >
> > > Marcelo.
> > >
> > >
> > > ---
> > > UOL, o melhor da Internet
> > > http://www.uol.com.br/
> > >
> >
>
> *********************************************************
> Disclaimer
>
> This message (including any attachments) contains
> confidential information intended for a specific
> individual and purpose, and is protected by law.
> If you are not the intended recipient, you should
> delete this message and are hereby notified that
> any disclosure, copying, or distribution of this
> message, or the taking of any action based on it,
> is strictly prohibited.
>
> *********************************************************
> Visit us at http://www.mahindrabt.com
>
>
>
>
--- UOL, o melhor da Internet http://www.uol.com.br/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]