-----Original Message----- From: Simon Edwards Sent: 08 March 2002 21:29 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates.
I have heard of similar things, probably one of the best being one that tracks down offenders and notifies authorities etc. (I know ISS' X-Force had a proto-type for this and I think Blade Software might be up to something too). The idea being that you have a black box (sat away from your network, say in the ISP) - and when the IDS detects an attack (or a combination of attacks) an instruction is sent to the black box which then starts to do look ups and traces on the hacker (note the reason for the remote location is that it will have a completely different set of IPs, and so the hacker may not connect that it is coming from his target). The detector then starts gathering information to be passed to relevant LEA (local enforcement agency). The idea not being "lets crew up this guys machine", but more "lets get a prosecution" Not sure if this went beyond Skunk Worx though ... Si ________________________________________________ Simon Edwards Technical Evangelist Top Layer Networks US Office : + 1 508 870 1300 (x230) US Mobile : + 1 617 953 8764 UK Office : + 44 1252 748509 UK Mobile : + 44 7971 959170 www: www.TopLayer.com <http://www.TopLayer.com> email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> "Perfecting the Art of Network Security" ---------------------------------------------------------------------------- -------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 06 March 2002 13:41 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. Agreed. Plus, you can't go launching counter-attacks when most of the time the machine you would be attacking was not at fault. It's been spoofed in some way shape or form. Therefore, you would be taking down an innocent network. -----Original Message----- From: McCammon, Keith [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 3:00 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IDS that retaliates. This is generally referred to as Active Response. In most cases (commercial IDS), this involves the IDS sending TCP RST packets to both ends of the connection so that the connection is destroyed and cleared from the buffers. This is also the extent to which most commercially-available IDSs "retaliate." Snort does this, as do ISS and several other popular systems. Now if you're referring to launching counter-attacks or similar offensives in response to alerts, this isn't going to go mainstream in the near future. There are a number of reasons for this, but most notably is the fact that (in the U.S., anyway) intrusive retaliation is, technically, every bit as illegal as the act that provoked it in the first place. I, too, have heard of government and defense projects that are developing (and refining) intrusive response of technology, but realize that the details of such systems would not likely be publicized. ############################################################ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################