Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)

To: debian-security@lists.debian.org
Subject: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
From: Rainer Weikusat <weikusat@mail.uni-mainz.de>
Date: 30 Jan 2001 09:01:24 +0100
Message-id: <[🔎] 87g0i1mpt7.fsf@winter.inter-i.uni-mainz.de>
In-reply-to: thomas lakofski's message of "Mon, 29 Jan 2001 19:21:25 +0000 (GMT)"
References: <[🔎] Pine.LNX.4.31.0101291907170.23202-100000@io.88.net>

thomas lakofski <thomas@88.net> writes:
> On 29 Jan 2001, Rainer Weikusat wrote:
> > Random garbage traveling across the 'net is exactly this: Random
> > garbage.
> 
> ok, and?

Why bother? 

> > If I suffer from dynamic IP allocations, you would be blocking
> > hundreds of IPs within a comparatively short amount of time

[...]

> I think the machine can manage to handle executing a command every three
> seconds.

Probably. But checking every incoming packet against some hundred
bogus filtering rules will degrade network performance, possibly in a
way that might get noticed.

> > Why do you worry about holes in programs you don't even run?
> 
> I'm not worried about holes in programs I don't even run.  I'm interested in
> detecting, and taking action against, actions which appear to be
> suspicious.

Like prohpylacticyally lynching certain 32-bit-numbers?

> > If I know what's happening on the box, I don't need a tool like this,
> > as I don't run any services except those I intend to, with the latter
> > ones being reasonably configured.
> 
> I still want to detect behaviour indicative of an attack

You *cannot*. You can recognize an attack that's happening, not a
possibly happening attack. For instance, shortly after w2k hit the
'net, machines from all over the world startet flooding us with
packets to port 28800, which, due to a dialup-link, became quite
expensive to us. Nethertheless, this probably wasn't an attack, but a
simple configuration problem (and I don't even know if it was
Windows-related. It just happened around the same time).

> and take action.

Your TCP/IP-stack would take that action ("dumping of garbage
packets") automatically. 

> > > I have a default-deny firewall with portsentry.
> >
> > Consider a default-REJECT firewall. This is a lot nicer to others.
> 
> Until someone uses it as a mirror for a denial of service attack.

Or a certain person comes accross a certain RFC, wherein 'they talk'
of ICMP rate limiting. 

> Legitimate traffic will never have any problems.

Legitmate traffic will have problems, given the situation outlined in
my previous post.

<mode=flame>
Was that too complicated for you or are have you simply been
lobotomized in the past?
</>

> > They will, as demonstrated above.
> 
> Unlikely; at least, it hasn't happened in the last 3 or so years.

There's no way for you to tell.

-- 
SIGSTOP

Reply to:

Follow-Ups:
- Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

References:
- Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
  - From: thomas lakofski <thomas@88.net>

Prev by Date: Re: Firewall and IPv6
Next by Date: Re: portsentry dangerous? hardly
Previous by thread: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Next by thread: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Index(es):
- Date
- Thread