Re: Automatic Retaliation contra DoS

[h3xm3 () SWBELL NET (Ryan Sweat)]

if i remember correctly udp22 was/is used for pcAnywhere

----- Original Message -----
From: "Weston Pawlowski" <bug () WESTON CX>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Wednesday, May 17, 2000 3:52 PM
Subject: Re: Automatic Retaliation contra DoS

> Automatic retaliation is usually a bit dangerous, but it can
> still be a good thing, you just have to be careful...
>
> It can be used as a DoS against you... Let's say that you
> have portsentry setup to detect stealth TCP and UDP
> scans/floods, and it filters out all packets from the
> "attacker" via ipchains. Well, guess what... Someone could
> just type something like "nmap -sS -S 64.28.67.48 -e eth0
> yourserver.net" and cause portsentry to think "64.28.67.48"
> (slashdot.org) is scanning you, so it'll filter it out, and
> now you can't read slashdot.org until you remove the entry
> in ipchains! It's incredibly easy to spoof an IP on a SYN
> scan, so don't retailiate when you detect one.
>
> So, you should only retaliate when you are pretty sure that
> the IP is real (ie a full connection). I have my server
> setup to only notify me of stealth mode scans (such as a SYN
> scan), and I have simple little programs, which I call port
> mines, listening on various unusual port numbers for full
> connections. When a connection is made to one of my port
> mines, it notifies me and filters out the attacker via
> ipchains. My setup will retaliate against non-stealth port
> scans (used by most script kiddies and Windows users), and
> notify me about anything else.
>
> Completely filtering a suspected attacker out might be a bit
> harsh for a more public server, so I'd aggree that lowering
> the priority would be a great alternative. Does anyone know
> how feasible and how effective that would be?
>
> As long as we're on the subject, does anyone know why
> someone might want to poke at UDP ports 22 and 5632. I was
> just notified by portsentry that someone's messing with
> those ports, again. I saw exactly the same thing, three
> times before. The last two times it was from the same IP as
> the current attack, but the very first time it was from a
> different IP, but on the same ISP. And all four times, I was
> using a different IP. Any theories???
>
> -Weston Pawlowski
> Bug () Weston cx
> The Mace Project: http://www.MaceHQ.cx
>
> ---
>
> Hi there,
>
> I read the thread here about automatic retaliation in case
> of an attack
> (automatically closing the firewall for this packets or the
> like) and that this
> would make a nice DoS of its own. Well and then i had an
> idea:
>
> Newer routers and new (future?) Linux kernels allow for some
> kind of priority
> adjustment. So instead of simply closing the door for
> possibly malicious
> packets, how about automatically throwing them into a lowest
> priority class?
> This would in case of attack ensure 100% bandwith for legal
> packets while
> allowing traffic for this "malicious" packets in case of
> false alarm (may be
> slower). Also the detection routine could keep on checking
> (the malicios packets
> are still arriving), and open the door again some time after
> the last packet of
> that type. Would be somehow like "tarpitting" in mailers (in
> case of spam).
>
> What do you professionals think about this?
>
> Greetings
> Siegfried Gipp