Firewall Wizards mailing list archives
Re: Response to door knocking
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 29 Jan 1999 14:21:42 -0500 (EST)
On Thu, 28 Jan 1999, Robert Graham wrote:
---"Paul D. Robertson" <proberts () clark net> wrote:I don't know anyone who doesn't have difficulty deciding how toreact todoor-knocking. Well, besides whoever that was who used toautomaticallye-mail zone contacts for any connect attempt, and I think they hadproblemswith the results of their decision.What are some legitimate responses to door knocking? Sending out automated e-mail seems to be a pathological response given the likelyhood that IP addresses can be spoofed. How about these ideas: 1. nbstat (NetBIOS node status request). 2. identd protocol 3. GET / HTTP/1.0 4. OS fingerprint (a la. nmap or queso)
These could all be considered door knocking in their own right, especially if the first knock is spoofed. Then we end up with the echo spoof recreated.
5. link speed identification
Let's take the extreme case where we've detected an intruder over a TCP connection whereby we know the TCP sequence number hasn't been spoofed (i.e. those operating systems with patches against spoofing).
We can't know the connection wasn't spoofed, since spoofing simply requres access to shared or diagnostic media between the victim and the spoofee.
Thus, we are pretty sure about the source of the attack. First, we send a simple NetBIOS nodestatus request (UDP port 137) to the offending machine to potentially gather that users login information.
So let's say the spoofed request is such a request itself, with the attacker claiming to be the victim of their own spoof?
In the most extreme case, we do an OS fingerprint scheme like nmap or queso that sends a series of strange TCP packets/options/flags to the intruder in order to "fingerprint" the operating system. For example, we can likely tell whether they are using Windows or Linux or Mac or Solaris etc, even if no ports are open. Likewise, by sending varying size ping packets at the target, we can get a good fingprint of their link speed (assuming our link is faster than their link). In essence, I can likely gather the user name, machine type, and operating system.
If they're (for example) FTP bouncing, then all you've done is identify the relay, which whois.arin.net could have told you without generating any packets back to the site.
Of course, this won't be effective against real hackers but would gather a lot of evidence against script kiddies (which are more numerous).
But it could be disadvantageous to send packets back in several scenerios.
If you don't care about evidence and simply want to scare them off, you can use the SMB messenger service or rwall to popup a message on their screen. Again, this assumes either NetBIOS or Sun RPC enabled respectively. Such a message would simply say "You are cybertrespassing and probably breaking several laws for which we will prosecute".
Of course, you're doing the same thing if the attacker isn't the primary user of the machine, or if the packets are spoofed. Since you presumably aren't law enforcement, there's hot "hot persuit" law to protect you, and since the attacker could be from any country, you may be placing yourself in jeapordy in a foreign jursidiction. That's why I said it's not trivial to figure out how to respond to door knocking. Automatic response takes more thought, and generally lots of talking with the lawgeeks.
Assuming that you take care of the obvious pathalogical cases (becareful about false positives, IP spoofing, and throttling the rate at which you send such messages, etc.), are there any problems with this scheme?
I'm not sure you can take care of the obvious pathalogical cases, and I'm not sure that popping a dialog box up on (for instance) a Back Oriface trojaned machine couldn't land you in serious hot water if the person on the machine was in the middle of something critical. Now, if we had a Colordo-esque "Go ahead make my Network" law... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
- Re: Response to door knocking Joseph S D Yao (Feb 08)
(Thread continues...)