Attack Response

[ LiB ]  

Earlier IDSs were only involved in monitoring activity and analyzing log files. Today's reactive IDSs can respond to an attack in one of four ways:

  • Terminate the session by performing a Transmission Control Protocol (TCP) reset

  • Block or shun the traffic

  • Create session log files

  • Restrict access

To terminate an attack session, the IDS sends TCP packets with the reset bit set to both the source address of the attack and destination address of the target. To block offending traffic, the IDS instructs another managed device such as a firewall or router to add an entry to the relevant access control list to deny incoming traffic from the offending source address. Session log files can also capture the data transmitted from the source address of the attack. Finally, the IDS can block the attacker's access to the relevant realm or domain.


A router, switch, or firewall that is instructed by a sensor to perform blocking is called a managed device .

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: