Re: portsentry dangerous? hardly
On Mon, Jan 29, 2001 at 07:06:56PM +0000, thomas lakofski wrote:
> My bad. But the point seems moot, since if you're already able to squash
> traffic between the hosts you might as well do that instead of trying to induce
> a blocking response from portsentry. It's decidedly less trivial than sending
> a spoofed SYN.
True, it is easier just to DoS, but if you get portsentry to do something,
then you can stop your DoS attack, and things stay broken. That would make
the attack a lot harder to trace.
That's why I don't think anyone should ever run software that sets up
blocks in response to possible attacks it has detected, unless the software
is sophisticated enough to make sure it doesn't block anything it shouldn't,
at least not permanently. (I remember reading about some US Gov guys doing
security research who had a whole bunch of programs all over their network
that collected info and responded automatically, and another team trying to
break in. In that case, I guess blocking in response to attacks works, but
that's a lot smarter than e.g. blocking everyone who fingers you. What
about people who honestly forgot your email address?)
The best practice is to notify a human of the situation, so they can do
something intelligent :)
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: