[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intrusion Attempts

Ariel Graneros <ariel@mejujuy.gov.ar> writes:

> On Tue, 3 Dec 2002 21:19:28 EST Trawets53@aol.com wrote:
>> Hi. Can you help me. Who do I report the above to. I have 2 firewalls
>> running and tonight I was attacked from the same address 172 times in
>> less than an hour. These people want banning off the net. It is
>> certainly a violation of my privacy. A dozen times is an excuse but 172,
>> I ask you. Please come back.
> A good solution is portsentry:
> http://www.psionic.com/products/portsentry.html

No, a good solution is whois(1). 

If the OP's complaint is valid (do we have logs / a description of what was
going off? Has he taken a cold shower since posting?) then a complaint to
abuse@ the ISP providing the incoming IP#s *may* be appropriate.

Otherwise there are perfectly rational explanations for quite a lot of
perceived "attack"s; maybe this avenue should be persued further.

> PortSentry is part of the TriSentry suite of security tools. It is a
> program designed to detect and respond to port scans against a target
> host in real-time. Stealth detection modes are available under all Unix
> platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All
> modes support real-time blocking and reporting of violations.

I've just explained over on comp.os.linux.security why portsentry is a
lousy idea, but to summarize:

a) "dynamic" means nothing when the packets shouldn't have permeated to
   user-space at all;

b) risk of auto-DoS if someone spoofs a given set of valuable IP#s;

c) having to have no firewall, or extra holes in a firewall, in order to
   detect a finite set of events seems daft when you could just be blocking
   them already by default.

IOW, write a proper firewall with DROP-by-default and only as few services
open as you need, and if you want a different view on what attacks are
going off, get something with a *much* larger rule-base like _snort_

And when you get a real incident of either massive abuse or targetted
attacks, *then* you whine to the people responsible.

172 packets dropped in a firewall does not a DoS - or even an attack -


Reply to: