very true retaliation is illegal dp ----- Original Message ----- From: "Mike Gilles" <[EMAIL PROTECTED]> To: "'McCammon, Keith'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 1:49 AM Subject: RE: IDS that retaliates.
| Just as a side note... The source of the attack will more likely be a | compromised legitimate business that the attack is originating from. So the | retaliation attack is not only not hitting the true source of the activity, | it is a set up for a host of trouble... attacking another legitimate | business that I'm sure just as soon be avoided. They might not notice the | DOS being launched FROM them, but they'll sure as heck notice one being | launch AGAINST them. An argument might be made that they deserved it!... | Well the law I think will view that differently. Not to mention the | explanation to the boss when your company is being sued over the retaliation | attack software that the IT team installed... | | I think retaliation IDS is a bad Idea, I think it blurs the real goal of | security, not being vulnerable in the first place. | | just my 2 cents... | | Thanks! | | -MG | Security Dude | | -----Original Message----- | From: McCammon, Keith [mailto:[EMAIL PROTECTED]] | Sent: Tuesday, March 05, 2002 3:00 PM | To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; | [EMAIL PROTECTED] | Subject: RE: IDS that retaliates. | | | This is generally referred to as Active Response. In most cases | (commercial IDS), this involves the IDS sending TCP RST packets to both | ends of the connection so that the connection is destroyed and cleared | from the buffers. This is also the extent to which most | commercially-available IDSs "retaliate." Snort does this, as do ISS and | several other popular systems. | | Now if you're referring to launching counter-attacks or similar | offensives in response to alerts, this isn't going to go mainstream in | the near future. There are a number of reasons for this, but most | notably is the fact that (in the U.S., anyway) intrusive retaliation is, | technically, every bit as illegal as the act that provoked it in the | first place. | | I, too, have heard of government and defense projects that are | developing (and refining) intrusive response of technology, but realize | that the details of such systems would not likely be publicized.
