On Thu, Dec 23, 1999 at 09:32:30AM -0500, Paul D. Robertson wrote:
> On Wed, 22 Dec 1999, Davis Ford wrote:
> > This may have already been mentioned, but take a look at a program called
> > portsentry (find it on freshmeat).
> > It will detect when someone runs a port scan on you, and then it will
> > automatically drop them into hosts.deny file, or better yet, it will add a
> > rule to ipchains which will automatically block their IP from accessing your
> > system. it has great logging features, as well.
> So, if you're portscanned with spoofed addresses from the root
> nameservers, your system will happily DoS itself?
That's why you DON'T use portsentry in it's UDP or stealth modes
to reconfigure your firewall.
IF you allow for portsentry to reconfigure your firewall on UDP
scans and IF the attacker realizes that you are using portsentry in that
mode and IF you haven't taken other actions to protect critical addresses
and IF he wants to do nothing more that shut you down, THEN he can
go to a lot of trouble to spoof UDP scans from each and every root name
server and each and every possible forwarding nameserver you might be
using. Then he might cause you to DoS, but no guarentees, even then
(you may have other routes and interfaces). That's a lot of ifs for that
one complicated "then" plus a lot of head scratching and wondering if it
even worked.
If you've got notification enabled (if you don't - you should), you
find out fast and the attack is really noisy. You add all those lovely
root servers to your host.ignore file and he can just go blow himself. He
can't even reliably tell if the attack even worked or not.
It generally isn't worth the effort and agravation (on the part
of any would-be attacker).
Anyone who can reliably spoof a port scan of fully connected TCP
ports from arbitrary IP addresses has much worse things they can do to you
than port scan you (since they can obviously sniff all of your traffic and
can poison all of your DNS).
Even classical TCP spoofing attacks (which won't work against
Linux because it's not sequence number predictable) required a preliminary
scan of the actual box from the actual attacker to get the sequence number
pattern. You could not possibly use this to spoof a TCP port scan (and
you would get cut off if you tried).
> (AIR, IPChains is going away soon (2.4), I'd double-check before I built
> infrastructure that needed it. 2.4 will increase the performance of
> multi-homed Linux boxes significantly.)
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
