[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intrusion Attempts

Am Die, 2002-12-10 um 14.44 schrieb Tim Haynes:
> Ariel Graneros <ariel@mejujuy.gov.ar> writes:
> > On Tue, 3 Dec 2002 21:19:28 EST Trawets53@aol.com wrote:
> >
> >> Hi. Can you help me. Who do I report the above to. I have 2 firewalls
> >> running and tonight I was attacked from the same address 172 times in
> >> less than an hour. These people want banning off the net. It is
> >> certainly a violation of my privacy. A dozen times is an excuse but 172,
> >> I ask you. Please come back.
> >
> > A good solution is portsentry:
> >
> > http://www.psionic.com/products/portsentry.html
> No, a good solution is whois(1). 
> If the OP's complaint is valid (do we have logs / a description of what was
> going off? Has he taken a cold shower since posting?) then a complaint to
> abuse@ the ISP providing the incoming IP#s *may* be appropriate.
> Otherwise there are perfectly rational explanations for quite a lot of
> perceived "attack"s; maybe this avenue should be persued further.
> > PortSentry is part of the TriSentry suite of security tools. It is a
> > program designed to detect and respond to port scans against a target
> > host in real-time. Stealth detection modes are available under all Unix
> > platforms and detects SYN, FIN, NULL, XMAS, and Oddball packet scans. All
> > modes support real-time blocking and reporting of violations.
> I've just explained over on comp.os.linux.security why portsentry is a
> lousy idea, but to summarize:
> a) "dynamic" means nothing when the packets shouldn't have permeated to
>    user-space at all;
> b) risk of auto-DoS if someone spoofs a given set of valuable IP#s;
> c) having to have no firewall, or extra holes in a firewall, in order to
>    detect a finite set of events seems daft when you could just be blocking
>    them already by default.

But portsentry may still be a good thing to have if for some reason the
firewall gets flushed. I know, this should never happen, but it can.

With PS you can then at least try to limit the damage by blocking
selected IPs. Of cource you can pretty much DOS yourselfe as you stated

> IOW, write a proper firewall with DROP-by-default and only as few services
> open as you need, and if you want a different view on what attacks are
> going off, get something with a *much* larger rule-base like _snort_
> instead.
> And when you get a real incident of either massive abuse or targetted
> attacks, *then* you whine to the people responsible.
> 172 packets dropped in a firewall does not a DoS - or even an attack -
> make. 


My firewall dropped 200+ packets in about 2 hours. Gotta love

Matthias Hentges
[www.hentges.net] -> PGP + HTML are welcome
ICQ: 97 26 97 4   -> No files, no URLs

My OS: Debian Woody: Geek by Nature, Linux by Choice

Reply to: