Gotta agree here (beside the BSD comment), active retaliation is simply a poor idea because the false positive problem. We have seen some amusing self inflicted customer DOS attacks due to this issue. Additionally, some vendor RST "retaliation" relies on the fact that the monitoring interface can route packets, thus not in stealth mode. No thanks, I'll keep my monitoring interface in stealth and make changes to my firewall when I verify there is a problem.
pr -----Original Message----- From: Marcus J. Ranum [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 7:01 PM To: Mark Crosbie; Carr, Aaron [CNTUS] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. Mark Crosbie wrote: >What good does retaliation really get you though (apart from a whole >load of legal headache)? Wouldn't "recovery" be a better goal to aim >for? We've often gotten requests for "firewall reconfiguration" or other types of "reaction" - what's interesting to me is that all these requests: - reaction - retaliation - repair will be limited by the degree of certainty the IDS is able to achieve. If you've got a 100% accurate diagnosis of the attack and its source then you _might_ be able to take some steps. If it's not 100% accurate then things start to go rapidly downhill. :) I think that in the next 4 or 5 years we'll see IDS getting close to being able to do such things but before we get there, you'll see: - IDS correlation of significance: mapping events against types of attacks against types of targets and re-prioritizing their significance. - IDS indication of confidence level: IDS will start to associate a confidence value with an alert instead of just a severity. This is an "oh, DUH!" that a lot of us security guys have had recently: the severity of the problem is _not_ the same as the IDS' confidence of its diagnosis. - Establishment of mapping between significance (operationally set) of targets versus reactions. Heck, I'd like my system not to retaliate or reconfigure but to fix itself. :) ALERT: SYSALERT, Severity=10, Confidence=10 - your system was vulnerable to attacks that are being launched against it. OpenBSD has automatically been installed replacing the copy of Linux that was on it... :) mjr.
