TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I think Paul was saying (correct me if I'm wrong) that there could be
an ongoing session of:
a) ongoing session:
goodhost:clientport -> webserver:80
and a hacker could send a packet with malicious payload, from a
spoofed source address of goodhost and source port of clientport, ie:
b) packet with spoofed source and malicious payload:
goodhost:clientport -> webserver:80 (malicious payload)
in which case realsecure would possibly generate resets (if so
configured) and end up killing (a).
Having pondered this at length in a previous posting, it has just
dawned on me that the hacker could just spoof a reset anyway. I don't
remember whether seqno's have to be valid for a reset but i imagine
not. So... if a hacker was able to determine/guess/brute-force a valid
quad (srcip/srcprt/dstip/dstprt) for an existing session then he could
force real secure to generate a kill for that session. Yes, legally, I
suppose it would have been real secure that killed the session.
However it many cases I think it would be hard for a hacker to find
valid quads, plus they could probably spoof their own resets directly.
The one thing to be very wary of is any firewall reconfiguration based
purely on blocking an attacking IP address because a hacker could
spoof that and force a DOS (he could pick IP addresses of common ISP
proxies out on to the internet, or one of your major trading partners
or whatever). At least with resets it is per-session.
James
On Wed, 25 Apr 2001 07:04:24 -0400, "Fitch, Brian (ISSAtlanta)"
<[EMAIL PROTECTED]> wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>The RealSecure kill is just a pair of TCP RSTs sent to both parties to the
>TCP session. I fail to see how this can bring down an innocent server.
>
>Brian Laing raises a good point in that you can uncheck the "tag RealSecure
>kills" button in your responses. In such cases, the party on the other end
>would get a message like "the connection has been reset"...not much more.
>
>Another option involving RealSecure would be to use it's ability to
>reconfigure a Check Point Firewall-1.
>
>Cheers,
>
>Brian
>
>-----Original Message-----
>From: Paul Van Gurp [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, April 24, 2001 3:40 PM
>To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
>Subject: RE: to RealSecure_Kill or Not
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>I am personally against these types of counterattacks, because often the IP
>address is spoofed. Unless you know you are hitting the attacker, you could
>bring down an innocent server which will cause headaches, or worse could
>involve legal action.
>
>It could also really tick off the hacker, which may make them seek
>revenge...
>
>Good luck.
>
>Paul
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
>> Sent: Monday, April 23, 2001 1:17 PM
>> To: [EMAIL PROTECTED]
>> Subject: to RealSecure_Kill or Not
>>
>>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
>> to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>> problems!
>> --------------------------------------------------------------------------
>> --
>>
>> Is it a good thing to use RealSecure_Kill, or is it just letting the bad
>> guys know the IDS I am running without any value.
>>
>> I would be interested in knowing the conditions under which compainies are
>> triggering RealSecure_Kill. We have what I consider an aggressive stance.
>> If the attack is ranked high and it is against a service or OS we run I
>> kill it. After an extensive set of HTTP_HEAD alerts recording someone
>> attempting various HTTP and cgi attacks I am considering
>> RealSecure_Killing all HTTP_HEAD attempts. I am concerned it would be a
>> "feel good" act that would tell more to the bad guy then I would deny
>> them?
>>
>> ----------------------------------------------------------------
>> Get your free email from AltaVista at http://altavista.iname.com
>>
>
>
>
Email: [EMAIL PROTECTED]
=====================================================================
Disclaimer! All views are my own. I accept no responsibility for any
death, injury, damage, loss (financial or otherwise) or inconvenience
- whether caused directly or indirectly - resulting from the use of
information given or implied.
=====================================================================
