Jeff, [email protected] wrote on 22/08/2007 06:53:59 AM:
> On Aug 20, 7:58 pm, Thorne Lawler <[EMAIL PROTECTED]> wrote: > > I'm sure there was some solid reasoning behind the default fixed value for > > active-response.timeout. I'd love to hear it if anyone knows what it was. > > > Ever heard of the term "spoofing"? Think about if someone malicious > spoofed the ip addresses of valid hosts and blocked them all. This > would be an easy way to make a server useless. > http://en.wikipedia.org/wiki/IP_address_spoofing https://www.trouble.net.au/~thorin/cute/suckeggs.shtml Yes, thanks, I believe I've heard of it. :-) I've got three takes on this: 1. If a substantial amount of spoofed traffic is coming in through your ISP, consider changing ISPs: Spoofing, especially for stateful (i.e. TCP traffic) requires some serious router subversion. If the source is local, your ISP needs to beef up their per-client routing controls, or possibly boot a troublemaker. What I'm trying to say is: any significant amount of spoofing is in itself a security problem. If someone is able to spoof the IPs of any significant number of your valid client hosts, blocking everything but administrative for a while might not be such a bad idea. 2. This is what the whitelist is for. If you get noise on an IP and it gets blocked incorrectly, you whitelist it. This is just as true for legitimate clients as it is for spoofing or proxy-aggregation or DHCP turnover or any other potential IP-identity confusion. Actual example: My friend is debugging his rather crufty new webDAV mechanism to maintain his site on my server. It spews out bazillions of 404 errors every time he tries to connect, and OSSEC obediently cuts him off. He complains, so I add him to the whitelist. 3. How is five minutes any less harmful than an hour, or a day? If someone is spoofing an IP, they can get that IP cut off in less than a second. That still means they can keep it cut off more than 99% of the time. So my question stands: Why five minutes? -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com -------------------------------------------------------------------------------- This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
