Your statement alone that "blocking the port and ignoring the attacker is a
sufficient approach" states it all.
Your approach of passive resistance is not what I would recommend in this day
and age - especially if there are hard assets and bottom-line dollars at
stake. Typically, seasoned hack/crackers are not easily discouraged - blocking
is expected. They will keep trying until a vulnerability is found. BTW - the
talented ones, neither leave a trail when she (I say she - something many
overlook BTW) penetrates your defenses, nor does she advertise that he has done
so. Under these conditions, I submit this:
A firewall enforces a security policy. If a vulnerability is exploited - what
vehicle do you have to relay that this has occurred? "ZERO". With a psuedo
environment - the violation can be accomplished and the intruder is satisfied.
The attack progresses to the next level. Meanwhile your tracking his every
move. Using this allows a feedback loop to:
1) modify your security policy to take in account of this vulnerability - even
if its minor - shoplifting a candy bar is only the beginning ...
2) modify your server security based on the exploits he/she has taken to breach
its defenses.
3) contact authorities an persue legal channels...
With the "ManTrap" (www.recourse.com), the first intruder I trap pays for the
technology, why? This is a gal that, 1) would have breached my production
environment to cause real damage, 2) Has just provided me with unsolicited
feedback on my security policies in my perimeter defenses and my public
resources.
With your passive approach - what vehicle do you have that would even hint to
you that I do not already "OWN" your resources?
Class dismissed. NUF SED!
mouss wrote:
> The problems with such approach are:
>
> - you are doing some work as a conseuqence of an attack. So, you're
> consuming CPU,
> network resucres, ... just because an attacker did something. This may be
> considered as
> a form of "loosing the war against attackers". Indeed, this is a "volontary
> DoS".
>
> - when redirecting to some other service, it should be made sure that the
> latter cannot
> be cracked. but "sure" is not in security dictionaries.
>
> - doing that, you are accepting (in some form) to "play" with the attacker.
> and this is in his advantage: he got enough time to loose.
>
> - blocking the port and ignoring the attacker is a sufficient approach. when
> he gets convinced that
> you are well protected, he will try to find another target. In contrast, if
> you do something "unusual"
> (such as the redirection you're talking about, he gets excited on how to
> "win" this war (you defied him).
>
> - the redirection you're talking about would be helpful if there was a way
> to trace the attacker. however,
> and IP scurity is much about this, nothing guarantees nothing. the truth is
> nowhere...
>
> You should remember that the attacker has the advantage (this is true in
> other situations, such as in chess,
> ...), and that good defense goes with the economical principle of "least
> effort" until the other gets tired.
>
> regards,
> mouss
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> > Sent: Wednesday, May 10, 2000 5:46 PM
> > To: Eddy Kalem
> > Cc: '[EMAIL PROTECTED]'
> > Subject: Re: FW: Redirecting closed port connections
> >
> >
> > Eddy,
> >
> > Rather than redirect to a reporting agency, there is an
> > inexpensive solution
> > out there (approx. 3K+) that will do just what you ask. ManTrap
> > ( by recourse
> > technologies) works with your existing firewall and any violations to your
> > security policy that you wish to be investigated will be redirected to a
> > prototype environment (hopefully one that mimics your real site - only
> > difference is the infrastructure behind the site is a dynamic
> > model to appease
> > the hacker). Meanwhile, every key stroke he makes and the source of his
> > origin is being recorded and derived respectively.
> >
> > Just a thought...
> >
> > Eddy Kalem wrote:
> >
> > > Does anyone know if there's a host or an organization I can redirect
> > > non-permitted port connections to. For example, say someone's trying to
> > > exploit port 1080 at my firewall--which I'm currently blocking at my
> > > firewall--and lets say instead of blocking the address, I redirect it,
> > > keeping the originating IP address, to the G men's web server
> > or some other
> > > organization that logs this type of activity. Is there such a site?
> > >
> > > Eddy Kalem
> > > Phyve, formerly Digital Medical Systems
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
