On 29 Jan 2001, Rainer Weikusat wrote:
> thomas lakofski <[EMAIL PROTECTED]> writes:
> > Tim Haynes wrote:
> > Script kiddies generally don't know what's happened to them when
> > portsentry triggers, and go looking for easier fodder
>
> Random garbage traveling across the 'net is exactly this: Random
> garbage.
ok, and?
[snip]
> A nice remote DoS:
> --------------------
> while true;
> do
> isdnctrl dial ippp0
> nc -v -z <your.ip> <port>
> isdnctrl hangup ippp0
> done
> --------------------
>
> If I suffer from dynamic IP allocations, you would be blocking
> hundreds of IPs within a comparatively short amount of time (~ 3-5
> seconds per IP). This will keep your machine quite busy and will block
> entirely legitimate accesses to the services you talk of below from
> people who happen get said IPs next.
I think the machine can manage to handle executing a command every three
seconds. I'd get an idea this was occurring within an hour as logcheck mails
me if portsentry goes off. So, maybe a thousand random dialup IPs can't reach
my machine. Since a potential attacker doesn't know where I do business, the
chances of this affecting me are slim to slimmer than that.
> > If they're actually out to exploit the hole
>
> Why do you worry about holes in programs you don't even run?
I'm not worried about holes in programs I don't even run. I'm interested in
detecting, and taking action against, actions which appear to be suspicious.
> No one can attack you with a portmapper-exploit if there's no portmapper
> to talk to.
I realise this.
> > When using software like this it's assumed that you have a good idea
> > of what is happening on the box.
>
> If I know what's happening on the box, I don't need a tool like this,
> as I don't run any services except those I intend to, with the latter
> ones being reasonably configured.
I still want to detect behaviour indicative of an attack and take action.
> > I don't have it trigger as a result of anything other than a full
> > TCP connect.
>
> see above
>
> > I have a default-deny firewall with portsentry.
>
> Consider a default-REJECT firewall. This is a lot nicer to others.
Until someone uses it as a mirror for a denial of service attack. Legitimate
traffic will never have any problems.
> > There are only around 5 valid services on the box,
>
> So these are to ones to worry about.
>
> > and about 30 fake ports wired up to portsentry.
>
> So you deliberately open up thirty ports without any real need to do
> so to get *what*?
To detect certain kinds of behaviours and take appropriate actions, that's all.
> Why not simply close them and be done with it?
see above
> > People who have valid business on the box never run into trouble,
>
> They will, as demonstrated above.
Unlikely; at least, it hasn't happened in the last 3 or so years.
cheers,
-thomas
--
who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
