IDS: Re: Active response... some thoughts.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

Re: Active response... some thoughts.

From: Chris Travers <chris () travelamericas com>
Date: Tue, 04 Feb 2003 23:16:08 -0800

Thomas;

I was also thinking about a liability from a poorly implimented systembeing able to be used to DOS an address by spoofing packets from thataddress.


I guess I come back to advocating passive solutions primarily.

Best Wishes,
Chris Travers

Thomas H. Ptacek wrote:

On 1/31/03 1:22 PM, "Chris Travers" <chris () travelamericas com> wrote:

An IDS could have hooks into a routers filtering tables in order to
temporarily ban that IP address.  This has the advantage of the RST in
that all inbound traffic from the attacker would be stopped, but would


ACL countermeasures are generally avoided because it is hard to make them
fail safely. It is not easy to push soft-state ACLs to Cisco and Juniper
routers; the risk that the IDS could get desynchronized from the filter is
large.

By Date By Thread

Current thread:

RE: Active response... some thoughts. Brian Laing (Feb 03)
- <Possible follow-ups>
- Re: Active response... some thoughts. Chris Travers (Feb 03)
  - Re: Active response... some thoughts. Scott Wimer (Feb 05)
  - Re: Active response... some thoughts. Thomas H. Ptacek (Feb 05)
    - Re: Active response... some thoughts. Chris Travers (Feb 05)
    - RE: Active response... some thoughts. Pete Herzog (Feb 06)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
  - RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
  - RE: Active response... some thoughts. Abe L. Getchell (Feb 06)