Vulnerability Development mailing list archives
Re: Automatic Retaliation contra DoS
From: h3xm3 () SWBELL NET (Ryan Sweat)
Date: Wed, 17 May 2000 22:45:28 -0500
if i remember correctly udp22 was/is used for pcAnywhere ----- Original Message ----- From: "Weston Pawlowski" <bug () WESTON CX> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Wednesday, May 17, 2000 3:52 PM Subject: Re: Automatic Retaliation contra DoS
Automatic retaliation is usually a bit dangerous, but it can still be a good thing, you just have to be careful... It can be used as a DoS against you... Let's say that you have portsentry setup to detect stealth TCP and UDP scans/floods, and it filters out all packets from the "attacker" via ipchains. Well, guess what... Someone could just type something like "nmap -sS -S 64.28.67.48 -e eth0 yourserver.net" and cause portsentry to think "64.28.67.48" (slashdot.org) is scanning you, so it'll filter it out, and now you can't read slashdot.org until you remove the entry in ipchains! It's incredibly easy to spoof an IP on a SYN scan, so don't retailiate when you detect one. So, you should only retaliate when you are pretty sure that the IP is real (ie a full connection). I have my server setup to only notify me of stealth mode scans (such as a SYN scan), and I have simple little programs, which I call port mines, listening on various unusual port numbers for full connections. When a connection is made to one of my port mines, it notifies me and filters out the attacker via ipchains. My setup will retaliate against non-stealth port scans (used by most script kiddies and Windows users), and notify me about anything else. Completely filtering a suspected attacker out might be a bit harsh for a more public server, so I'd aggree that lowering the priority would be a great alternative. Does anyone know how feasible and how effective that would be? As long as we're on the subject, does anyone know why someone might want to poke at UDP ports 22 and 5632. I was just notified by portsentry that someone's messing with those ports, again. I saw exactly the same thing, three times before. The last two times it was from the same IP as the current attack, but the very first time it was from a different IP, but on the same ISP. And all four times, I was using a different IP. Any theories??? -Weston Pawlowski Bug () Weston cx The Mace Project: http://www.MaceHQ.cx --- Hi there, I read the thread here about automatic retaliation in case of an attack (automatically closing the firewall for this packets or the like) and that this would make a nice DoS of its own. Well and then i had an idea: Newer routers and new (future?) Linux kernels allow for some kind of priority adjustment. So instead of simply closing the door for possibly malicious packets, how about automatically throwing them into a lowest priority class? This would in case of attack ensure 100% bandwith for legal packets while allowing traffic for this "malicious" packets in case of false alarm (may be slower). Also the detection routine could keep on checking (the malicios packets are still arriving), and open the door again some time after the last packet of that type. Would be somehow like "tarpitting" in mailers (in case of spam). What do you professionals think about this? Greetings Siegfried Gipp
Current thread:
- Re: Networking theories, (continued)
- Re: Networking theories Helmethead (May 07)
- Re: Networking theories Dragos Ruiu (May 07)
- Re: Networking theories Blue Boar (May 07)
- Re: Networking theories Matthew King (May 08)
- Re: Networking theories Dug Song (May 08)
- Automatic Retaliation contra DoS sigipp () WELLA COM BR (May 09)
- Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
- Re: Automatic Retaliation contra DoS Michael H. Warfield (May 17)
- Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
- Re: Automatic Retaliation contra DoS Michael H. Warfield (May 18)
- Re: Automatic Retaliation contra DoS Ryan Sweat (May 17)
- Re: Automatic Retaliation contra DoS Max Vision (May 17)