Re: counteracting an attack?

To: debian-firewall@lists.debian.org
Subject: Re: counteracting an attack?
From: Jörn Engel <joern@wohnheim.fh-wedel.de>
Date: Mon, 19 Feb 2001 11:49:16 +0100
Message-id: <[🔎] 20010219114916.A1167@wohnheim.fh-wedel.de>
In-reply-to: <[🔎] 20010218175022.A24195@cory-l>; from coryp@petersen-arne.com on Sun, Feb 18, 2001 at 05:50:23PM -0800
References: <[🔎] 87lmr5cfuq.fsf@penny.ik5pvx.ampr.org> <[🔎] 20010217193425.E9728479FA@erich> <[🔎] 20010218003620.A29819@rum> <[🔎] 20010218002303.6E43D479FA@erich> <[🔎] 87d7cgcs5t.fsf@penny.ik5pvx.ampr.org> <[🔎] 20010219001049.C5102@wohnheim.fh-wedel.de> <[🔎] 20010218175022.A24195@cory-l>

Hi!

> I agree, countermeasures can have bad effects, both karmically, and legally.
> If script kiddies are running scripts to attack your machine, why not have your machine run scripts to attack attackers?

Define attackers. And define it well enough for a script to distinguish
attackers from ordinary people without errors. If you can perform this
miracle - yes, why not.

> [portscanning]

As in every program, a good algorithm has to perform in the expected way and
it has to terminate. So apart from legal and ethical questions, you cannot
simply answer a portscan on your machine with a protscan on their machine,
this would never end.
So now we have a script that remembers the machines it did a portscan on
within a reasonable amount of time. This is already complicated enough for
plenty of bugs plus it opens your machine to DoS-attacks. Is all this
trouble worth the gain and what gain do we get anyway?

> Isn't there an option in portsentry to forward packets, once an 'attack' is detected, instead of dropping them?  So once portsentry decides someone is being malicous, it then starts forwarding all packets off to disney.com or something?  I think that's rather funny, however this may be another 'attack'.  Only now you're indirectly directly involved!

So now disney, presumably a big company with good techs and even better
lawyers, receives the attack. But they are not on the same ethernet as you
and the attacker. The attacking packets have found their way from the
attacker to you through and then to disney. Alright. Two cases:
Case one: Disney's techs cannot figure out, what path the packets took. The
have to deal with the attacks and spend money on it. Good job! Better use M$
if you want to hear cheers but don't consider ethical questions.
Case two: Disney's techs can figure out what path the packets took. After a
bunch of attacks from different sources, all of them were untraceable when
taken alone, the techs were able to trace it back to you. So now the lawyers
will talk to you, find out that you were not the attacker and hand the job
back to the techs to find the original attackers? Unlikely.

Ergo:
Unless you are the NASA, secure your machine, log the attacks and smile. It
always hits those with bad firewalls and that is someone elses problem.

Jörn

Reply to:

References:
- counteracting an attack?
  - From: Pierfrancesco Caci <ik5pvx@penny.ik5pvx.ampr.org>
- Re: counteracting an attack?
  - From: Erich Schubert <erich.schubert@mucl.de>
- Re: counteracting an attack?
  - From: Casper <casper@huiscomputer.homeip.net>
- Re: counteracting an attack?
  - From: Erich Schubert <erich.schubert@mucl.de>
- Re: counteracting an attack?
  - From: Pierfrancesco Caci <ik5pvx@penny.ik5pvx.ampr.org>
- Re: counteracting an attack?
  - From: Jörn Engel <joern@wohnheim.fh-wedel.de>
- Re: counteracting an attack?
  - From: Cory Petkovsek <coryp@petersen-arne.com>

Prev by Date: Re: counteracting an attack?
Next by Date: Re: counteracting an attack?
Previous by thread: Re: counteracting an attack?
Next by thread: Re: counteracting an attack?
Index(es):
- Date
- Thread