On Wed, 29 Dec 1999, Michael H. Warfield wrote:
> > > It will detect when someone runs a port scan on you, and then it will
> > > automatically drop them into hosts.deny file, or better yet, it will add a
> > > rule to ipchains which will automatically block their IP from accessing your
> > > system. it has great logging features, as well.
>
> > So, if you're portscanned with spoofed addresses from the root
> > nameservers, your system will happily DoS itself?
>
> That's why you DON'T use portsentry in it's UDP or stealth modes
> to reconfigure your firewall.
Which is exactly what I was pointing out. "Or better yet, it will add a
rule to ipchains..." was the focus of my reply.
> IF you allow for portsentry to reconfigure your firewall on UDP
> scans and IF the attacker realizes that you are using portsentry in that
> mode and IF you haven't taken other actions to protect critical addresses
> and IF he wants to do nothing more that shut you down, THEN he can
> go to a lot of trouble to spoof UDP scans from each and every root name
"A lot of trouble?" "Each and every root name server?" Try looking in
named.ca, it's not *that* much trouble to add 13 addresses, and worse-yet if
autoblocking becomes popular, it'll just be the usual M.O., it costs nothing
extra to add the root nameservers to the list of source IPs and it's
easily and trivially automated.
> server and each and every possible forwarding nameserver you might be
> using. Then he might cause you to DoS, but no guarentees, even then
If you're using non-roots you're probably taking more exposure than
necessary anyway (the only time I won't go to roots is when I'm going to
another nameserver I administer). Wonder if anyone else is looking to
zone xfer the US roots for Y2K just-in-cases?
It's pretty easy to state-check DNS if you're using *BSD and IPFilter, and
it's fairly easy to set up BIND to use a specific port to query for any filter
rules in either case.
At this point, I'd hesitate to use Linux as a screen for a site that took
a lot of traffic. I'm a big Linux fan, but I'm currently waiting on the new
filter code to gel and the multiple interface changes currently in
2.3.x kernels to get to a production state (Currently Linux lags with
multiple interfaces, it's not bad in a proxy server, but it is bad if you're
trying to build a low latency packet filter.)
IMO, IPFilter would have been _much_ more attractive to integrate into
2.3/2.4 than a rewrite of BPF for the new filtering code. Unfortunately,
Linux 2.2.x is different enough that a port of IPFilter is way too
time-consuming at this point.
I'm just starting to play with 2.3.34 now that it looks like 2.4.x is
looming, but it'll be a while before it touches any of my production boxes.
> (you may have other routes and interfaces). That's a lot of ifs for that
> one complicated "then" plus a lot of head scratching and wondering if it
> even worked.
You don't have to wonder if it's the defacto M.O., you lose nothing by
doing it as an attacker, and you gain little by autoreacting that way as
a defender unless you've patterned your traffic pretty significantly, and
even then you're better off having static rules in your border routers
for almost everything anyway.
> If you've got notification enabled (if you don't - you should), you
> find out fast and the attack is really noisy. You add all those lovely
> root servers to your host.ignore file and he can just go blow himself. He
> can't even reliably tell if the attack even worked or not.
There are enough script kiddies out there that it generally doesn't
matter if they can tell, and it's fairly easy to tell if they've taken
over the primary server for some domain and you have anything on your
network that does lookups in response to anything (say e-mail to add
anti-spam headers, tcpwrappers that do lookups, Web servers that
log host addresses...).
> It generally isn't worth the effort and agravation (on the part
> of any would-be attacker).
That's the point, it's trivial (almost zero aggravation) on the part of
the attacker to add those as source addresses. If any significant part
of the user community started auto-blocking things it'd be about a day
before it was in the latest script. So for almost zero effort, you get a
chance to make the target self-DoS, and it doesn't hurt a more intrusive
scan either way. Finally, if it's in the tools, the script kiddies won't
even know it's happening, and if it worked on one host per /16 it'd be
"worth" adding from what little I've seen on the machines I've had to
clean up where logs have been recoverable and the attacker's
command-by-command activities have been recovered. YMMV.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
