Re: Stopping people finding out uptime?
On Mon, 15 Apr 2002, Daniel Pittman wrote:
> On Mon, 15 Apr 2002, David B. Harris wrote:
> > On Mon, 15 Apr 2002 14:20:34 +1000
> > Daniel Pittman <daniel@rimspace.net> wrote:
> >> So, hiding this information does not protect you from attacks. All it
> >> does is give you a false feeling of confidence in your "protection"
> >> -- which is, in the end, non-existent.
> >>
> >> Security through obscurity isn't, and hiding your uptime is
> >> obscurity.
Alternatively, I would describe this uptime-hiding idea as:
Security through layers of protection /is/ security, and hiding
your uptime adds a layer of obscurity.
> > In the meantime, some script kiddie somewhere is flooding my network
> > with scans to detect what OS a given machine is running, and how long
> > it's been up.
>
> Alternately, as with many of these things, they have their
> script running around and attempting the crack on anything at
> all or, possibly, the slightly more targeted, anything that
> looks remotely similar. :)
I'd just point out here that the likely scenario (and the one that
initiated this thread) is that someone is running nmap against the
network and building a database of:
- which hosts are alive
- what ports look open
- what OS and version (ranges), if possible
- uptime
So your determined, focused attacker finds a problem with OS
"foo", versions "1-N", and so queries the database for boxes that
match that criteria. For bonus points, he looks for qualifying
boxes that don't reboot often. These are boxes that probably don't
get much (security) attention. It's just slightly less of a
crapshoot, because maybe the box rebooted between the scan and the
attack (and why?); or, maybe the box was feeding misleading uptime
information; or ...
> Hiding the information does nothing for you because the script
> that you see as "scanning" is much more likely to be attempting
> to break in automatically, not just guessing what might be worth
> attacking.
Depends on the script, obviously; in the nmap-getting-uptime case,
it's just information-gathering (possibly for a later, focused
attack).
> > That's not how it works in the real world, folks. There, every bit
> > helps.
>
> No, it doesn't, and it often gives a sense of security to people
> that is based on the assumption that they are facing something
> with a brain, such that their hiding information from it will do
> anything to stop it.
I think overall, you're looking at both attack/scan scenarios:
- pure information-gathering
- exploit attempts
Either may be manual or automatic. Why not put the proverbial
finger in as many cracks of the dam as possible?
-jeff
--
Negative campaigning has emerged as a major issue in the presidential
primaries. What do you think? "If you ask me, these cheap, mudslinging ads
drag the political process down to a level so juvenile and debased, I can
actually understand it." George Lowell, Investment Banker. The Onion
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: