Some of the Back Orifice detectors were the first to do this that I know of. Since many people scanning for BO were actually infected with it, it became a fun game for some people.
If the true attacker would want to take this a step further, they would spoof the address of another ,or several other, IDS that is set to "counter-attack". Now the counter attack just turned into a nice little war ;) Although, it may seem cool to have a counter-attack system in place, its just serving as an additional front that a malicious person could use to turn your network on others or on itself. Along with the legal and ethical implications, blah, blah, blah... Even active response (tcp teardown & dynamic firewall rules) can become burdens. I believe the fundamental steps of security could be stated this way: reduce your surface area and add more layers. Dan On Tue, Mar 05, 2002 at 04:14:09PM -0600, Mike Shaw wrote: > > >Now if you're referring to launching counter-attacks or similar > >offensives in response to alerts, this isn't going to go mainstream in > >the near future. There are a number of reasons for this, but most > >notably is the fact that (in the U.S., anyway) intrusive retaliation is, > >technically, every bit as illegal as the act that provoked it in the > >first place. > > Another consideration--spoof or otherwise trick the retaliating IDS into > thinking you're someone else, and that 'someone else' get's nailed and the > retaliating IDS' fingerprints are on it. > > -Mike >