On Mon, 15 May 2000 [EMAIL PROTECTED] wrote:
> those data flows provided for in a qualified security policy. You allow
> the bear minimum and stop there. Then you test that this is all you have
It's a grizzly and polarized debate! (sorry, couldn't resist)
> To continue ... tracking the source can be difficult and is prone to
> error. This has been pointed out already... But then close port scanning
> such as SYN scans etc... are not all that usefull to an attacker except
> perhaps in the form of network enumeration... you might be able to get a
> better picture of what the network looks like but you will not get a
> foot hold to launch an attack.... OK perhaps DOS for the Brain Dead. DOS
I don't quite agree with your prioritization; A non-connect TCP scan can
give enough information to know which targets are juicy to an attacker
without host logging in most cases. That's _very_ useful if they're
attempting to find a soft target to beat on. The benifit to an attacker
of such scans is that they can use a significant number of source
addresses to scan from and make it difficult to determine which source
address is correct. This is yet-another-reason why *everyone* should do
egress filtering wherever possible.
> The only reliable method of scanning is a tcp connect. If this type of
> scan is detected then you know how you can track the source. From here
> it is simple. In order for the attacker to get any usefull info he must
> be able to get data back... Thus the source reported in the TCP header/
> IP Header is the real source, or by tracerouting back to the reported
> source .. one of the hops will be the real source... you know what the
Not necessarily. Despite literally years of warnings, FTP bounce attacks
are still possible (along with similar things for a lot of open proxy
servers), and there are a *lot* of compromised Web servers out there that
can be used to launch attacks (Watching Attrition's defacement list is
illuminating- NT Web servers seem to be pretty popular targets these days
(my assumption is that a lot of places still haven't fixed the RDS bug.))
Tracking back to an intermediary host is sometimes useful in finding the
real attacker, but in other cases it's fruitless because the jumping-off
point is trojaned and the logs are clean.
> source port is so find which one accepts your response packets....But
> then what do you do when you have tracked the source ... the responsible
> thing to do would be to determine what ISP is responsible and inform
> them that one of the hosts or connections is being used to scan you
> illegally. Retaliation is a highly questionable course of action, even
> if it is very tempting!!
Once you have an IP address, it's literally seconds to filter or blackhole
them them at the border. Retaliation is really bad, if you DoS a
compromised host that belongs to an injured 3rd party, you're likely to
end up on the wrong side of some set of lawyers.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
