Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
On Mon, 29 Jan 2001, Peter Cordes wrote:
> > bah. all this talk about portsentry being dangerous forgets that you can also
> > run it so it only triggers after a full TCP connect. while not un-spoofable,
> > it's very hard for an attacker to spoof as they have to be in-line between your
> > host and the host they're trying to spoof. plus, they'll have a task guessing
> > sequence numbers.
> Not true. To spoof a TCP connection, you need to guess the initial
> sequence number, and you need to stop RST packets from the spoofed host from
> reaching the host under attack, or else the host under attack will reset the
> TCP connection. If you are in-line with the host under attack, you can see
> the return traffic, and then you don't need to guess at the sequence number
> even. You will be able to block the return traffic from ever reaching the
> spoofed host. However, another way to accomplish the blocking is to DoS the
> spoofed host.
My bad. But the point seems moot, since if you're already able to squash
traffic between the hosts you might as well do that instead of trying to induce
a blocking response from portsentry. It's decidedly less trivial than sending
a spoofed SYN.
> I don't remember where I read this, either in an RFC, or in the book
> "Practical Unix and Internet Security".
who's watching your watchmen?
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43