Comment The easy vs. the hard problem (Score 1) 233
The easy part of this problem is cutting off the TCP connection. It is a simple matter of sending FIN and/or FIN-ACK TCP packets to the endpoints of the connections.
The hard part of this problem is in deciding which TCP connections to cut off. I don't think that randomly cutting off connections once a night or aborting long downloads is a good idea. This may inconvenience some legitimate users, and there are probably much better criterion that one could use to determine if a connection is "malicious." For instance, if overlapping IP fragments are detected, this may be an indication that someone is trying (a naive approach) to subvert your intrusion detection system, since fragmented packets are rarely used in the internet today.
More research may need to be done in determining good application-level criterion that indicates a malicious connection, and in how to map these application-level criteria to firewall rules.
Sincerely,
Neil Daswani
http://www.learnsecurity.com/
The hard part of this problem is in deciding which TCP connections to cut off. I don't think that randomly cutting off connections once a night or aborting long downloads is a good idea. This may inconvenience some legitimate users, and there are probably much better criterion that one could use to determine if a connection is "malicious." For instance, if overlapping IP fragments are detected, this may be an indication that someone is trying (a naive approach) to subvert your intrusion detection system, since fragmented packets are rarely used in the internet today.
More research may need to be done in determining good application-level criterion that indicates a malicious connection, and in how to map these application-level criteria to firewall rules.
Sincerely,
Neil Daswani
http://www.learnsecurity.com/
