And even if it (IDS) did track back to the right source; Don't forget the factor that some of those systems might be taken over and use as zombie hosts without the notice of the system owners (admins).
Thus, you are adding more pain and suffering to those pool ppl by having a active retaliation. ^_^ Reidy, Patrick wrote: > Gotta agree here (beside the BSD comment), active retaliation is simply a > poor idea because the false positive problem. We have seen some amusing > self inflicted customer DOS attacks due to this issue. Additionally, some > vendor RST "retaliation" relies on the fact that the monitoring interface > can route packets, thus not in stealth mode. No thanks, I'll keep my > monitoring interface in stealth and make changes to my firewall when I > verify there is a problem. > > pr > > -----Original Message----- > From: Marcus J. Ranum [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 06, 2002 7:01 PM > To: Mark Crosbie; Carr, Aaron [CNTUS] > Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: IDS that retaliates. > > > Mark Crosbie wrote: > >>What good does retaliation really get you though (apart from a whole >>load of legal headache)? Wouldn't "recovery" be a better goal to aim >>for? >> > > We've often gotten requests for "firewall reconfiguration" or other types > of "reaction" - what's interesting to me is that all these requests: > - reaction > - retaliation > - repair > will be limited by the degree of certainty the IDS is able to achieve. If > you've got a 100% accurate diagnosis of the attack and its source then > you _might_ be able to take some steps. If it's not 100% accurate then > things start to go rapidly downhill. :) I think that in the next 4 or 5 > years > we'll see IDS getting close to being able to do such things but before we > get there, you'll see: > - IDS correlation of significance: mapping events against types of > attacks against types of targets and re-prioritizing their > significance. > - IDS indication of confidence level: IDS will start to associate a > confidence value with an alert instead of just a severity. This is > an > "oh, DUH!" that a lot of us security guys have had recently: the > severity of the problem is _not_ the same as the IDS' confidence > of its diagnosis. > - Establishment of mapping between significance (operationally set) > of targets versus reactions. > > Heck, I'd like my system not to retaliate or reconfigure but to fix itself. > :) > > ALERT: SYSALERT, Severity=10, Confidence=10 - your system was > vulnerable to attacks that are being launched against it. OpenBSD > has automatically been installed replacing the copy of Linux that was > on it... > > :) > > mjr. > >
