On Tue, 27 May 2003, Gary Hennigan wrote:
> Personally, I'd rather make my presence on the 'net as hard to
> discover as possible. If you allow echo requests it's a simple matter
> for someone to run nmap, for example, to find out that a particular IP
> address is valid. If you block such messages any cracker will likely
> just move on to the next poor slob when your IP address doesn't show
> up on his nmap scan.
Watching what hits my firewall, I have come to the following
conclusions to the type and number of potential internet security
intrusions[1]:
1) Windows Networking Connection Attempts.
First and foremost, I get a lot of netbios and netbios-over-TCP
connection attempts. Since I don't run a honeypot, I can't say what's
trying to connect, but if I'd have to guess, most of them are probably
viruses, and maybe a script kiddie or two thrown in.
2) Probable viral activity - MicrosoftSQL port connection attempts,
http connection attempts, etc.
3) FTP connection attempts - ProFTP gets a lot of anonymous connection
attempts. Since FTP seems to be a poor way to spread a virus, I'm
chalking this up to scripts trying to see if I have working anonymous
FTP.
So, what do my log tell me?
The majority of the traffic seems to be viruses and scripts that try to
connect to default services just to see what's out there.
After that, it seems to be the script kiddies trying default attacks,
without caring what OS/daemons your machine is actually running.
Based on this information, trying to hide/disguise your machine in
order to avoid attacks is mostly a waste of time. The slammer worm
doesn't check to see if I'm a windows machine or not - it just tries to
connect and run the exploit. Same with the script kiddies, they'll just
try to run their default exploits and see what happens.
Now don't get me wrong - there are skilled people out there that can use
the information they get from pings, etc, to break into your machines.
However, those sort of hackers are few and far inbetween, viruses are
numerous, and there are more script kiddies then true hackers.
Besides, if you are a hacker having your unknown exploit, I'm guessing
that you'll scan machines on the port that service listens on.
I'm not saying that dropping certain packets isn't useful - it does
provide a small measure of security. However, that security comes with
a price - you're no longer playing nicely on the TCP/IP playground.
Instead of kicking the soccer ball back to the other kids, you're
throwing it onto the roof and yelling neener-neener to the other kids.
In the end, its better to REJECT (not DROP) by default, and open up
the valid icmp stuff.
Anyways, isn't ICMP also used to calculate optimal packet size, etc?
Been awhile since I've done networking, but I know that ICMP is used for
more then echo requests.
Of course, YMMV,
Jesse Meyer
[1] Sorry for the vague term, but I'm not going to call everything that
hits my firewall an attack - it might be a misconfigured server, for
example, trying to authenticate through me. Probably not, but maybe.
--
...crying "Tekeli-li! Tekeli-li!"... ~ HPL
icq : 34583382 | === ascii ribbon campaign ===
msn : dasunt@hotmail.com | () - against html mail
yim : tsunad | /\ - against proprietary attachments
Attachment:
pgpo1EY9z_FBl.pgp
Description: PGP signature