Re: Intrusion Attempts

To: debian-security@lists.debian.org
Subject: Re: Intrusion Attempts
From: Matthias Hentges <eebe@gmx.net>
Date: 10 Dec 2002 17:53:01 +0100
Message-id: <1039539180.4214.27.camel@mhcln02>
In-reply-to: <86wumivvib.fsf@potato.vegetable.org.uk>
References: <14c.184c51f1.2b1ec030@aol.com> <20021210102408.2275b830.ariel@mejujuy.gov.ar> <86wumivvib.fsf@potato.vegetable.org.uk>

Am Die, 2002-12-10 um 14.44 schrieb Tim Haynes:
> Ariel Graneros <ariel@mejujuy.gov.ar> writes:
> 
> > On Tue, 3 Dec 2002 21:19:28 EST Trawets53@aol.com wrote:
> >
> >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls
> >> running and tonight I was attacked from the same address 172 times in
> >> less than an hour. These people want banning off the net. It is
> >> certainly a violation of my privacy. A dozen times is an excuse but 172,
> >> I ask you. Please come back.
> >
> > A good solution is portsentry:
> >
> > http://www.psionic.com/products/portsentry.html
> 
> No, a good solution is whois(1). 
> 
> If the OP's complaint is valid (do we have logs / a description of what was
> going off? Has he taken a cold shower since posting?) then a complaint to
> abuse@ the ISP providing the incoming IP#s *may* be appropriate.
> 
> Otherwise there are perfectly rational explanations for quite a lot of
> perceived "attack"s; maybe this avenue should be persued further.
> 
> > PortSentry is part of the TriSentry suite of security tools. It is a
> > program designed to detect and respond to port scans against a target
> > host in real-time. Stealth detection modes are available under all Unix
> > platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All
> > modes support real-time blocking and reporting of violations.
> 
> I've just explained over on comp.os.linux.security why portsentry is a
> lousy idea, but to summarize:
> 
> a) "dynamic" means nothing when the packets shouldn't have permeated to
>    user-space at all;
> 
> b) risk of auto-DoS if someone spoofs a given set of valuable IP#s;
> 
> c) having to have no firewall, or extra holes in a firewall, in order to
>    detect a finite set of events seems daft when you could just be blocking
>    them already by default.

ACK
But portsentry may still be a good thing to have if for some reason the
firewall gets flushed. I know, this should never happen, but it can.

With PS you can then at least try to limit the damage by blocking
selected IPs. Of cource you can pretty much DOS yourselfe as you stated
above.

> IOW, write a proper firewall with DROP-by-default and only as few services
> open as you need, and if you want a different view on what attacks are
> going off, get something with a *much* larger rule-base like _snort_
> instead.
> 
> And when you get a real incident of either massive abuse or targetted
> attacks, *then* you whine to the people responsible.
> 
> 172 packets dropped in a firewall does not a DoS - or even an attack -
> make. 
> 

ACK

My firewall dropped 200+ packets in about 2 hours. Gotta love
EDonkey.....
-- 

Matthias Hentges
[www.hentges.net] -> PGP + HTML are welcome
ICQ: 97 26 97 4   -> No files, no URLs

My OS: Debian Woody: Geek by Nature, Linux by Choice

Reply to:

Follow-Ups:
- Re: Intrusion Attempts
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>

References:
- Intrusion Attempts
  - From: Trawets53@aol.com
- Re: Intrusion Attempts
  - From: Ariel Graneros <ariel@mejujuy.gov.ar>
- Re: Intrusion Attempts
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>

Prev by Date: Fuera estrés ya !!!
Next by Date: Re: Intrusion Attempts
Previous by thread: Re: Intrusion Attempts
Next by thread: Re: Intrusion Attempts
Index(es):
- Date
- Thread