[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: Re: RS-Kill and MAC SRC Addr
From: Crist Clark <crist.clark () GLOBALSTAR ! COM>
Date: 2001-01-19 18:45:03
[Download RAW message or body]
Birk Richter wrote:
>
> Hello,
>
> the ISS RealSecure Network Engine has the
> possibilty to respond to detected attacks with
> a RST-TCP-packet (RS-Kill).
In general, a self-DOS waiting to happen.
> my questions are:
>
> To which IP-Dest addresses RealSecure sends
> the RS-Kill (server or client or both) ?
I don't know for sure with this product, but typically, if there
is an established TCP connection the RST's go in both directions.
If not, the potential for a self-DOS is even greater.
> Which MAC-Src address RealSecure uses for
> building the RS-Kill (the own or faked for
> server, client (router)) ?
>
> If RealSecure uses the own MAC then you have
> false entries in the arp cache of router/switch.
You do? Why? At what point is the RealSecure machine responding
to an ARP query?
> If RealSecure uses faked MAC for server or client
> then you have false entries in the bridging table
> of the switch.
Again, when it it going to be responding to an ARP query? It is
only going to be sending, never receiving (except in a promiscuous
mode which has no impact on your ARP tables).
> Exist any solutions for this (potential) problem ?
I do not see a problem.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic