[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: RS-Kill and MAC SRC Addr
From:       Crist Clark <crist.clark () GLOBALSTAR ! COM>
Date:       2001-01-19 18:45:03
[Download RAW message or body]

Birk Richter wrote:
>
> Hello,
>
> the ISS RealSecure Network Engine has the
> possibilty to respond to detected attacks with
> a RST-TCP-packet (RS-Kill).

In general, a self-DOS waiting to happen.

> my questions are:
>
> To which IP-Dest addresses RealSecure sends
> the RS-Kill (server or client or both) ?

I don't know for sure with this product, but typically, if there
is an established TCP connection the RST's go in both directions.
If not, the potential for a self-DOS is even greater.

> Which MAC-Src address RealSecure uses for
> building the RS-Kill (the own or faked for
> server, client (router)) ?
>
> If RealSecure uses the own MAC then you have
> false entries in the arp cache of router/switch.

You do? Why? At what point is the RealSecure machine responding
to an ARP query?

> If RealSecure uses faked MAC for server or client
> then you have false entries in the bridging table
> of the switch.

Again, when it it going to be responding to an ARP query? It is
only going to be sending, never receiving (except in a promiscuous
mode which has no impact on your ARP tables).

> Exist any solutions for this (potential) problem ?

I do not see a problem.
--
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.

[prev in list] [next in list] [prev in thread] [next in thread]