Security Incidents mailing list archives
Re: Annoy Those Sub7 Scanners.
From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Sun, 27 Aug 2000 13:28:55 -0400
At 14:37 -0700 26/08/00, Max wrote:
Tired of getting all those Sub7 scans? Well, why not make their life a little more difficult! It appears that when Sub7 scans a port that chargen is sitting on, it can't handle it, and crashes. A three-finger-salute is needed to regain any use of Windows. -Max [FCS] Yeah, We Regulate [FCS]
While it's maibe a good idea, let's not forget all the flames wars about counter-attacks and everything. I won't go into this, but I'll post a copy of an old email written by Michael H. Warfield in the Abacus mailling list which is so complete is looks like an essay about counter attacking: ---------------------------------------
A really long answer, but now let's talk about reality and security.
Ohhkkk... Seeing as I'm the Senior Researcher and Fellow at Internet Security Systems, I guess I'm qualified to speak to some of both reality and security. Sure. Why not... ;-/
I agree with you about all that you've said, but I really don't think that things can so so far.
Welll... As long as we are talking about reality, yes, things do go so far. They have gone that far and will go that far in the future with chumps that put up counter reaction systems. I cited a few examples. These are reality. They really did happen. There are others on record. There will be more since, as the old saying goes, those who fail to learn from history are doomed to repeat it. I know some of the clowns who would do exactly that (play a sucker's reaction system against him), just for the thrill of embarassing a site operator. You better believe that these guys also understand the term "tune for maximum smoke" very well. The security expert with the E-Mail responder who got caught with his pants down didn't get half the shelacing that he could have (some say should have) gotten.
Let's imagine a tipical wannabe, he's seen my web and decides to "check" my security. The first thing is to make a portscan from his windows machine. He can see no port open, even the 80 and that looks strange for him, so he tries to watch the web again.
"Imagine"? I thought we were talking reality here. In any case, he's not your biggest problem, if he's a problem at all.
Yeeepa! The web doesn't appear. Really strange, so he pings my machine and... it doesn't answer. He starts thinking that he has probably made a DoS or something by mistake and has "switched-off" my server. Immediately he tells all his irc-friends but they can see the web so... what happens?
Doesn't come down that way. I've been running portsentry for a couple of years now on several networks and haven't seen a single instance. We are talking reality here, right?
If he's a bit intelligent as to have seen the programs in Packetstorm he will remember some protection programs... Wow, he has touched an intelligent and protected system... If he's intelligent enough and has Linux installed he won't wait too long to reconect with another IP and start making different portscans until he finds one that our program can't detect.
And all of his curiosity started because WE (it's supposed that everybody in this list use Abacus solutions) are using a program which denies that person if he detects an attack.
I thought you were talking reality, not conjecture. The reality is wide spred port scans trolling vast extenses of addresses looking for something to respond. The reality is automatons that are just scanning for imap or sub7 or netbus. If an address space is "dark", their detectors never give a peep and they just keep trolling into the night. Reason I know this is that I have portsentry on a firewall protecting a /19 behind it and I can see the patterns. I can see the wide scans (scanning across IP addresses looking for only one or two services) and I and see the deep scans (picking a known good IP address and scanning for what services are available), I can see the distributed scans (scanning from multiple IP addresses to reduce port scanning detection), and I can see the slow scans (dribbling scan attempt at a slow rate to remain in the noise). You've knocked yourself out by first saying he's a wannabe and then attibuting this mallice to him that he's picked out your system and he's going to all this effort on it. No. The wannabes are going to scan as much as possible as fast as possible for something they are interested in. If they don't find anything, they keep going. If they do find what their looking for, they'll be all over you. If they find something else interesting, that's when they let their buddies know. Most of their tools are automated. They pick up the results after running address scans all night. No response, no alert, the address gets ignored. The steriotypical image of a PFY (pimply faced youth) staring blurry eyed at a tub all night while picking apart web server after web server is largely fiction (not totally fiction - but largely). Now, they start a job and pick up results every few hours. Nothing shows up, chances are good they don't even know they scanned your address. Remember too that stateful analysis (check a service, if there do a scan, then recheck the service) is costly and slow compared to the massive parallel scans that are in use now. It doesn't scale well to large numbers of addresses. It's going to be employed against you only after you've attracted their attention. Until then, they get their biggest bang for their computing buck by doing stateless scans scaled up and run in parallel. I've written tools that do both, parallel port scans and stateful vulnerability checks. I wrote a "Ping 'O Death" check that basically pinged a system, if the system responded fired the "Ping 'O Death" at it and then rechecked the normal ping to see if the system survived. The port scanners "haul ass" compared to something even as simple as that one test.
Now think about if he was really attacking my sysem or not... if you configure Portsentry to wait for a few of forbidden ports to be touch then that person is REALLY CHECKING the system (until this moment it can't be considered as an attack, as a judge said many months ago).
The guy that checks your system and then does a port scan and then double checks your system is a step above the "wannabes" and is already interested in your system for some reason. Likely as not, this individual would not even start with a fully connected port scan but would do a FIN scan or other stealth scan. Netfilter is going to help with stealth scans on the Linux platforms where we can use it to block FIN scans and fragment scans and other steath scans against TCP. Ipfilter can do the same thing on the *BSD varients. These should be deployed at the host and at the network level to interfere with these scans, but that's a totally separate issue from portsentry.
So we have detected a STUPID portscan and only a wannabe does this. Evidently a wannabe doesn't protect his own system too much and he won't detect that the attacked system is getting information about him.
That is really dumb, you know that. Pure conjecture and supposition that "only a wannabe does this" (not true) and where did you get this "Evidently a wannabe doesn't protect his own system too much"? What evidence to back the "evidently"? I don't see it. Even the lamers load up the evil ident servers and the fake finger servers. They want to know when they've struck a nerve. That's one of their common detection methods! Besides which, if they really are lamers who don't know how to secure their own systems or don't think far enough ahead to load up the false response servers, just blow them off and ignore them. They're no threat to you or your systems if you are already up to running portsentry. If they are sophisticated attackers and intruders then I can virtually guarentee that the information you get back from your probes is going to be false, or worse. So you are left with either useless (lamer) information or false (dangerous intruder) information. Either way, you lose, so why bother with it?
I don't really think that a hacker would do this, a real hacker will make a good portscan (undetectable) and he will detect that his machine is being asked about him. Once he's found our interesting system the detail of a netbios check... do you really think that he wasn't already interested?
Right... Well now you just supported my primary arguements. By not probing back, you're going to weed out the broad sweeps from the thousands of wannabes out there. You're right, that's not going to stop the determined intruder, but that's not what it's for anyways. That's what the second layer of detection and defense is for. That's why you should have intrusion detection systems behind portsentry. Someone trying some sophisticated attack is then going to trip your IDS. If your IDS goes off, you know it's not because of some lammer running a wide sweep for sub7 or something. I've got things like secure logging servers and dedicated steath IDS boxes waiting for the FIN scans and the Christmas scans and for the directed attacks. BTW... I have reports right now indicating that wide sweeps for sub7 (a Windows trojan and remote control cybertoxin) are now the number one port probes taking place on broadband networks such as cable modems. Up until recently, it was wide sweeps for imap, looking for the old RedHat 5.1 vintage imap service with the remote root hole. The other day, someone made a suggestion that I'm just investigating. That was to set up a stealth system (system with no IP address) which sits on a common segment of the network sniffing. But it wasn't sniffing for intrusions, it was sniffing for syslog traffic. The syslog traffic is directed at a different dedicated logging server but also picked up by this one. Now, an intruder breaking into one system will discover the logs are stored and processed on another server, which he may attack. He doesn't know about and can't access the third, stealth, server which has picked up and stored the logs or about the IDS which just set off alarms due to unexpected traffic against the exposed logging server. The exposed logging server may be a total fake anyways, left with temping holes and deceiving services just to attract attack to give the IDS fuel to trigger on. Not a honey pot, necessarily, but a sacrifical server which nothing else trusts. This is the mesh that waits for the high skills attacker. Portsentry is just the front door filter weeding out the riff raff and eliminating a lot of noise and false alarms. In my security tutorials, I'm always preaching defense in depth. You need multiple layers of defense. That way an intruder must be perfect in his efforts to break into your network in slipping past authentication and access controls while avoiding alarms, tricks, and traps. One mistake and the trap shuts on him and alerts you.
Once a real hacker spots our system... better pray.
No... You don't pray, you be prepared. As Sun Tsu teaches in the Art of War... "So the rule is not to count on opponents not coming, but to rely on ways of dealing with them; not to count on opponents not attacking, but rely on what cannot be attack." You don't rely on portsentry as your only defense, it is only one of your defenses. You don't rely on the smart cracker not attacking and slipping through your only defense. You need to be prepared for him on the other side, knowing that it isn't some riff raff rattling door knobs.
And if he attacks form an university is because he has gained a shell there, so the system isn't really well configured (ok, we could talk for months about the stupid passwords of the users and such things) as to detect a netbios check and those checks.
Lets imagine that I'm getting curious checks on my system and I imagine that they come from the same person, not very intelligent I wish, and I want to get more information about him to know if he's the same person or not, to start tracing his attempts, or do I have to wait until my system has been compromised?
Hmmm... There's that word "imagine" again. Reality, remember... You want to get more information about him so you resort to probing him back and relying on information which he controls? I don't think so. You can't even tell if the information is valid or not and can't tell if it's set off any detectors on his side or not? Are you sure this is what you want to do?
If I wasn't a security paranoid I wouldn't have installed Portsentry.
You're not nearly paranoid enough, if you think that responding to a port scan with a counter probe is a reasonable action.
You say that somebody can use my checks to make me a DoS... and? Nowadays any script kiddie can perform a distributed DoS even if my server has a web about religious cultures a radical can attack it, or if I have a gay web an heterosexual can attack it too.
I'm looking for solutions, not words. "The best defense is an attack", well I don't want to attack but to know who will I fight against if he reachs my system.
No... Sun Tsu also teaches that to win by not attacking is best. Attacking and fighting chews up and wastes your resources, your "fullness". To win by not fighting is good. The expression "The best defense is an attack" is foolish when a fight could have been avoided entirely. "The best defense is a good offense" (the correct expression) is only true when a battle is inevitable. The first defense must be to avoid conflict or win the conflict before the battle. You won't find solutions in reaction systems. The intruders know how to deal with them. This is reality. They have those tools now. Counter probes have been around for years and the flaws in the concept are well known. Hostile servers and fake services are their stock and trade. If you rely on information you get from probing an intruders system, you are just going to get lied to all the while he is checking out who just jumped when he poked them. The real danger is that you can't tell when you are being lied to or when you have anything useful. If you can't tell when the data back from the probes has been falsified, how can you do anything with the data that hasn't. Remember too... Think automation, not PFY. They can automate alarms that tell them when a system probes them back. Then they know they have found something interesting. You are raising a loud gong proclaiming "here I am" to the throngs of port scanners. You really don't want to attract that kind of attention.
Or is it better just to sit down, do nothing and just wait until some user tells me that our web doesn't work?
I would never preach that. Were you listening? [...]
> Morals of this story:
> Don't tip him off that you've spotting him.
> Don't inform him that you have sophisticated detectors.
> Don't rely on information that he controls.
> Don't open yourself up to other indeterminant exploits and attacks.
> Don't open yourself up to being abused to attack others.
> Don't open yourself up to legal liabilities.
> Don't open yourself up to potential denial of service attacks, > self-inflicted or otherwise.
> Whatever you think you might gain by doing this, is not worth > the risk.
Add this... Contemplate Sun Tsu and the Art of War... Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! --------------------------------------- Best, GFK's -- http://logidac.com Guillaume Filion (GFK's) Logidac Technologies, Québec, Canada
Current thread:
- Annoy Those Sub7 Scanners. Max (Aug 26)
- Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
- Re: Annoy Those Sub7 Scanners. Rune Kristian Viken (Aug 27)
- Re: Annoy Those Sub7 Scanners. Chris Keladis (Aug 27)
- Re: Annoy Those Sub7 Scanners. Thierry (Aug 27)
- Sub7/Open Telnet/Open Socks/DOS Ryan Yagatich (Aug 28)
- Re: Sub7/Open Telnet/Open Socks/DOS Valdis Kletnieks (Aug 28)
- Re: Sub7/Open Telnet/Open Socks/DOS Ryan Yagatich (Aug 29)
- <Possible follow-ups>
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
- Re: Annoy Those Sub7 Scanners. Doug Kahler (Aug 27)
- Re: Annoy Those Sub7 Scanners. Valdis Kletnieks (Aug 27)
- Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
- Re: Annoy Those Sub7 Scanners. Greg A. Woods (Aug 28)
- Re: Annoy Those Sub7 Scanners. Snehal Dasari (Aug 28)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
- Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 28)