Re: Intrusion Attempts

To: debian-security@lists.debian.org
Subject: Re: Intrusion Attempts
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: Tue, 10 Dec 2002 13:44:28 +0000
Message-id: <86wumivvib.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <20021210102408.2275b830.ariel@mejujuy.gov.ar> (Ariel Graneros's message of "Tue, 10 Dec 2002 10:24:08 -0300")
References: <14c.184c51f1.2b1ec030@aol.com> <20021210102408.2275b830.ariel@mejujuy.gov.ar>

Ariel Graneros <ariel@mejujuy.gov.ar> writes:

> On Tue, 3 Dec 2002 21:19:28 EST Trawets53@aol.com wrote:
>
>> Hi. Can you help me. Who do I report the above to. I have 2 firewalls
>> running and tonight I was attacked from the same address 172 times in
>> less than an hour. These people want banning off the net. It is
>> certainly a violation of my privacy. A dozen times is an excuse but 172,
>> I ask you. Please come back.
>
> A good solution is portsentry:
>
> http://www.psionic.com/products/portsentry.html

No, a good solution is whois(1). 

If the OP's complaint is valid (do we have logs / a description of what was
going off? Has he taken a cold shower since posting?) then a complaint to
abuse@ the ISP providing the incoming IP#s *may* be appropriate.

Otherwise there are perfectly rational explanations for quite a lot of
perceived "attack"s; maybe this avenue should be persued further.

> PortSentry is part of the TriSentry suite of security tools. It is a
> program designed to detect and respond to port scans against a target
> host in real-time. Stealth detection modes are available under all Unix
> platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All
> modes support real-time blocking and reporting of violations.

I've just explained over on comp.os.linux.security why portsentry is a
lousy idea, but to summarize:

a) "dynamic" means nothing when the packets shouldn't have permeated to
   user-space at all;

b) risk of auto-DoS if someone spoofs a given set of valuable IP#s;

c) having to have no firewall, or extra holes in a firewall, in order to
   detect a finite set of events seems daft when you could just be blocking
   them already by default.

IOW, write a proper firewall with DROP-by-default and only as few services
open as you need, and if you want a different view on what attacks are
going off, get something with a *much* larger rule-base like _snort_
instead.

And when you get a real incident of either massive abuse or targetted
attacks, *then* you whine to the people responsible.

172 packets dropped in a firewall does not a DoS - or even an attack -
make. 

~Tim
-- 
<http://spodzone.org.uk/>

Reply to:

Follow-Ups:
- Re: Intrusion Attempts
  - From: Omen Wild <Omen.Wild@Dartmouth.EDU>
- Re: Intrusion Attempts
  - From: Matthias Hentges <eebe@gmx.net>

References:
- Intrusion Attempts
  - From: Trawets53@aol.com
- Re: Intrusion Attempts
  - From: Ariel Graneros <ariel@mejujuy.gov.ar>

Prev by Date: Re: Intrusion Attempts
Next by Date: Re: Intrusion Attempts
Previous by thread: Re: Intrusion Attempts
Next by thread: Re: Intrusion Attempts
Index(es):
- Date
- Thread