Just as a side note... The source of the attack will more likely be a compromised legitimate business that the attack is originating from. So the retaliation attack is not only not hitting the true source of the activity, it is a set up for a host of trouble... attacking another legitimate business that I'm sure just as soon be avoided. They might not notice the DOS being launched FROM them, but they'll sure as heck notice one being launch AGAINST them. An argument might be made that they deserved it!... Well the law I think will view that differently. Not to mention the explanation to the boss when your company is being sued over the retaliation attack software that the IT team installed...
I think retaliation IDS is a bad Idea, I think it blurs the real goal of security, not being vulnerable in the first place. just my 2 cents... Thanks! -MG Security Dude -----Original Message----- From: McCammon, Keith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 3:00 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. This is generally referred to as Active Response. In most cases (commercial IDS), this involves the IDS sending TCP RST packets to both ends of the connection so that the connection is destroyed and cleared from the buffers. This is also the extent to which most commercially-available IDSs "retaliate." Snort does this, as do ISS and several other popular systems. Now if you're referring to launching counter-attacks or similar offensives in response to alerts, this isn't going to go mainstream in the near future. There are a number of reasons for this, but most notably is the fact that (in the U.S., anyway) intrusive retaliation is, technically, every bit as illegal as the act that provoked it in the first place. I, too, have heard of government and defense projects that are developing (and refining) intrusive response of technology, but realize that the details of such systems would not likely be publicized.
