TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hmm, tricky question.
I assume you're offering some kind of public web access. I don't know
what the real-world risk is of hackers forcing a DOS via real secure
kills. I presume they would not only have to spoof their ip address,
but also know a valid quad (srcip/srcport/dstip/dstport) for an
existing session. Now they could get this if they're able to intercept
traffic to/from your web servers (but if they could do that there's a
good chance they could generate the resets themselves). Otherwise i
think they'd need to guess srcip/srcport (okay, they could start with
low srcports starting around 1024, and send many of them, but that's
getting towards a brute force DOS rather than a targetted pack to
force a realsecure kill). Anybody know how whether this is a real risk
or a largely theoretical one?
There are some times when the above is not applicable - for example in
a more controlled environment. Imagine you NEVER expect any telnet
between subnets A and B, or between A and anywhere else. Then you
could set up a connection event for that profile - and whatever a
hacker throws at you there should be no other valid traffic to be
killed. (I imagine some hackers may have stacks which ignore resets,
however Real Secure sends a reset to both parties so unless the stack
on both boxes has been nobbled then at least one end should drop the
connection).
Anyway, your case sounds different from the above.
Definitely switch off real secure kill tagging (i think that's a
global response setting - you may need to merge/update your responses)
because a tagged kill tells the hacker more that you'd want.
I can't remember whether anything else does HTTP_HEADs? So, apart from
whether a hacker could force a DOS against another session, consider
whether anything VALID might try to do an HTTP_HEAD.
Hmm, "ticking off the hacker" is an interesting one... A little bit
like whether you leave a safe full of bricks in your house - the thief
ignores everything else, goes for the safe, and is mad when he finds
out. I don't know how long you've been attacked for, or whether it's
the same person, or whether they keep blindly repeating the same
attack, or just polling you from time to time (ie is it personal or
are you one of many?). In other words, from what you know, do you
think he'll lose interest if he gets resets?
Also, how safe do you think you are at the moment (patched up etc) -
is there a chance that one day he'll get lucky in which case sending
resets may be the lesser of two evils.
I'd certainly be interested to hear other people's views on this.
James
=====================================================================
Disclaimer! All views are my own. I accept no responsibility for any
death, injury, damage, loss (financial or otherwise) or inconvenience
- whether caused directly or indirectly - resulting from the use of
information given or implied.
=====================================================================
On Tue, 24 Apr 2001 15:40:08 -0400, you wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>I am personally against these types of counterattacks, because often the IP
>address is spoofed. Unless you know you are hitting the attacker, you could
>bring down an innocent server which will cause headaches, or worse could
>involve legal action.
>
>It could also really tick off the hacker, which may make them seek
>revenge...
>
>Good luck.
>
>Paul
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
>> Sent: Monday, April 23, 2001 1:17 PM
>> To: [EMAIL PROTECTED]
>> Subject: to RealSecure_Kill or Not
>>
>>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
>> to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>> problems!
>> --------------------------------------------------------------------------
>> --
>>
>> Is it a good thing to use RealSecure_Kill, or is it just letting the bad
>> guys know the IDS I am running without any value.
>>
>> I would be interested in knowing the conditions under which compainies are
>> triggering RealSecure_Kill. We have what I consider an aggressive stance.
>> If the attack is ranked high and it is against a service or OS we run I
>> kill it. After an extensive set of HTTP_HEAD alerts recording someone
>> attempting various HTTP and cgi attacks I am considering
>> RealSecure_Killing all HTTP_HEAD attempts. I am concerned it would be a
>> "feel good" act that would tell more to the bad guy then I would deny
>> them?
>>
>> ----------------------------------------------------------------
>> Get your free email from AltaVista at http://altavista.iname.com
>>
>
>
