[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: portsentry dangerous? hardly

On Mon, 29 Jan 2001, Peter Cordes wrote:

> On Mon, Jan 29, 2001 at 07:06:56PM +0000, thomas lakofski wrote:
> > My bad.  But the point seems moot, since if you're already able to squash
> > traffic between the hosts you might as well do that instead of trying to induce
> > a blocking response from portsentry.  It's decidedly less trivial than sending
> > a spoofed SYN.
>  True, it is easier just to DoS, but if you get portsentry to do something,
> then you can stop your DoS attack, and things stay broken.  That would make
> the attack a lot harder to trace.
>  That's why I don't think anyone should ever run software that sets up
> blocks in response to possible attacks it has detected, unless the software
> is sophisticated enough to make sure it doesn't block anything it shouldn't,
> at least not permanently.  (I remember reading about some US Gov guys doing
> security research who had a whole bunch of programs all over their network
> that collected info and responded automatically, and another team trying to
> break in.  In that case, I guess blocking in response to attacks works, but
> that's a lot smarter than e.g. blocking everyone who fingers you.  What
> about people who honestly forgot your email address?)

I think there should be a difference between real crackers and script
kids. Portsentry is just wonderfull for blocking people running subnet
scans for certain ports that you're machine isn't providing any services
for (services like rpc and lpd are mostly not usefull for other people on
a webserver). In those cases portsentry will block those hosts completely
without the risk of trying exploits on service ports that do have a
specific function (imap, smtp etc).

Real crackers are more host specific. They don't do subnetscans.


Eelco van Beek

Reply to: