Firewall Wizards mailing list archives
Re: ipchains FW, monitoring for scans, & how to react to them
From: cbrenton <cbrenton () sover net>
Date: Wed, 22 Dec 1999 07:44:44 -0500 (EST)
On Tue, 21 Dec 1999, Thom Dyson wrote:
A conversation about this sort of auto-blocking came up at the SANS conference last week. It was pointed out that if you have this, it could be the basis of a very effective DoS attack with just a little IP spoofing.
I brought this up in my firewall class at SANS as well. Reactive IDS systems have become extremely popular but can be used to kill connectivity. On three occasions I've seen instances where an organization's connectivity has been killed by spoofing attack patterns from root name server IP addresses. Of course this falls to one of my biggest gripes, many orgainzation's focus on limiting what comes into their environment but pay little attention to what goes out. I'm a big advocate of outbound spoofing filters. ;)
Given the trend toward low and slow scans, your "DENY flush" interval would have to be fairly long. You have to weigh the risks in your environment.
Agreed. Just because a feature exists does not mean you should use it. ;)
A couple of the speakers on intrusion detection basically said, "We get so many probes on things like IMAP and BO, that as long as they are outside the firewall, they just aren't that interesting."
Back in "the good old days" I used to follow up on every attack. Now I just database the pattern along with the source address and let it slide unless they are dumb enough to poke away at my honeypot. ;)
They weren't too worried about probes for services that they know aren't running on a particular machine. It was the unknown probes (a la new trojans) that seemed to be the biggest concern.
I've been involved with the SANS Y2K National Watchcenter and have been seeing a good number of trojan type attacks being reported. This is yet another reason to watch what traffic is trying to leave your network. ;)
WRT firewalling on the web server without a second separate fw, I'm a huge fan of one task per machine. Ipchains on the web server is a good idea, but not as a replacement for a separate perimeter defense.
Agreed. Also, ipchains is a packet filter. Ifthe goal is to secure the Web server itself, you can do the same thing by killing services and using wrapper. Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: ipchains FW, monitoring for scans, & how to react to them, (continued)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- war dialers, are they a current threat? R. DuFresne (Dec 22)
- Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
- RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
- Re: war dialers, are they a current threat? Dorian Moore (Dec 28)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- Message not available
- Re: war dialers, are they a current threat? Eric Budke (Dec 24)
- Re: ipchains FW, monitoring for scans, & how to react to them cbrenton (Dec 23)