-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is not really a response to Jay's post this is just my own 2 cents for whatever that is worth (in today's economy I venture not much).
I think a person SHOULD obfuscate their ips. Let's say they are running a vulnerable service and they are trying to shut it off. Say they cut n paste the netstat showing there ip and listening port; they are basically saying, here I am, come get me. Sure the point that someone is going to find them anyway is both valid and strong but let's face it: some people on this list don't always have the best intentions. Case n point going back about 6 months (maybe more????) when the t0rn r00tkit was trendy; David D made some points about it on the incident list and what do you know..... sure enough in the next version of t0rn there was a note in the read me quoting what David said on the incidents list (I believe it an even provided a link back to his post). I don't believe security through obscurity works as a means to an end but I say the more hurdles the better. Further I think obfuscating the ips is not really so much security through obscurity as it is more like common sense. It is like saying this "yeah I just bought this new lock and it appears to be broken here is my address"; sure are other people are going to try to break into the house anyway but no need to provide a street address and exact directions on how to get there. Again 2 cents falling quickly Leon (I have recently become certified in ghi for all those following my saga. Currently working on jkl ;) - -----Original Message----- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Monday, December 03, 2001 1:12 PM To: Security-Basics List Subject: Re: obfuscating ip's - -----BEGIN PGP SIGNED MESSAGE----- On Sun, 2 Dec 2001, dewt wrote: > i see many times on this list that people post ip's of their > machines, and of suspect machines. occasionally with lines like > "i'm running version (insert any vulnerable version number) of this > service!" or a much less serious but still iffy "we only allow port > 53 through the fireall to the machine 192.168.14.3" i think a risk > exists by posting ip addresses. I disagree for several reasons: 1. Any system that's reachable on the 'net is getting aggressively scanned anyway. Yes, discussing a problem may yield a temporary jump in scanning, but the threat of attack is not appreciably raised. 2. Discussing RFC-1918 addresses is pretty moot. Unless someone leaves some useful clues as to the external IP of their NAT, any planned attack on that LAN is an exercise in futility. > first of all you expose your own machines to risk by announcing to > some unneeded information. sometimes a lot of information is needed > to deduce problems, but the actual ips involved are usually not. This is true, but only nominally so. There's a wealth of public information that one can use apart from any messages here by which they can mount an attack. The point I'm trying to make here is that obfuscating IP addresses in the course of discussions here won't buy the author any real security. Anyone with access to these public repositories of information can divine most everything they want to know if they truly have malevolent purposes. Obfuscating IP's isn't an obstacle...hell, it's barely a speedbump in any case. > i have also heard in an email message that some people do indeed > scan these machines for innocent purposes, but that can still cause > alarm at the other end. Now *this* is a valid concern. It's not a good idea to discuss IPs of systems you don't personally own and/or manage. As a rule, I *never* disclose information on an employer's or contractor's systems. The only IPs I spill are those I personally maintain. > as for suspect machines (scans from this ip, or attempted worms > whatever) also raises some issues, first of all if many people > start scanning a compromised box the person who compromised it may > get scared and delete everything on the system before someone > responsible for the machine can take any appropriate action, > alternatively you could invite scans to dialup accounts which by > then wouldnt' be the same machine anyway, slowing down someone's > internet connection, or if the suspect traffic turned out to be a > false alarm, you may have caused headaches for whoever deals with > the innocent suspect machine(i know i have > strange traffic forwarded to my pager, not sure about all of you). I'm ambivalent on this issue. I see scans from different sites all over the world. Most scans I simply ignore if they're just vanilla scans for known vulnerable services (BIND, SunRPC, some SSHd iterations, et cetera). If it's a scan via a worm, I notify the netblock owner. But if it's repeated spews from a specific netblock and notices to the upstream go unheeded over several days, then I don't believe it's bad form to announce the problem to the world. By that time, it's pretty obvious that the connectivity provider is either oblivious or just doesn't give a fig and thus could use a bit of a rude awakening. > horror stories aside, i just reccommend that we all obfuscate ip > addresses we post here unless the situation definitely calls for it Eh...it's six of one, half a dozen of the other in my book. I don't see any harm in posting the IPs, and I don't see any benefit in obfuscating them. If someone wants your system bad enough, they'll find a way to get it...no matter how many smokescreens you toss up. - - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- [EMAIL PROTECTED] -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPAuyULlDRyqRQ2a9AQF2HgP/XpNawopwMoy1VCqXwjlOs4GtTdSpxhVY M+aup8Acglb37/EPA+J4ryJ1ygoEL28rYFN8tXep1mSyRLe4YsvVUrC8/I807xq7 6xi0WS48jtKhbxKSxB5BYAPuMQxZJlGhbUKpd3bWUqF2IglwzoXbAZ9nHCUWwwOc xvDjZyuHJc0= =RxSd - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPA+9Y9qAgf0xoaEuEQIEQACglD1MOuH+1k9A9t4iepNy9PiGuUUAn0Fi X86zkSAlbnOqbVzysX77sPtd =jlNO -----END PGP SIGNATURE-----
