Re: Response to door knocking

["Paul D. Robertson" <proberts () clark net>]

On Fri, 29 Jan 1999, Robert Graham wrote:

> Windows machines already do NetBIOS nodestatus requests (which
> firewall maintainers see all the time). Thus, if I set up a Windows NT

That doesn't necessarily make a wilful probe in response to a potential 
probe legally permitted.  I'd certainly advise having your legal counsel
approve such a response prior to implementing it.  

> 5.0 web server, it will use randomized TCP seqno (makes spoofing

NT4's "random" sequence nubmers are known predicatble even after a patch
to fix it, I've not seen any measurements on NT5, but I'm not sure I'd
want to go into court to try to prove that it couldn't possibly have been
someone with an HTTP_REFERER address linked to the next sequence number
backtracking.  Worse yet, if the client is predictable, and I've managed
to send them to you and initiate a spoofed probe based on some outside (to
the process of them and you communication) channel, you're now attacking
(clueless|innocent) victim.  If DNA tests can't be trusted, how the heck
will you explain random sequence numbers to a jury "If he can't predict
you must convict?" (ugh, that was bad)

> almost impossible with being inline) and it will do reverse DNS and
> NetBIOS to resolve the incoming IP address. 
>
> Likewise, I know of several websites that do identd as a matter of
> policy. 

The law doesn't just look at what happened, it often looks at intent.
Also, once again you're talking about a potential jurisdictional issue
that spans the planet.  

> TCP fingerprinting is even more interesting. The current programs I
> know of (nmap, queso) send TCP packets to essentially new connections.
> But, you can equally include such fingerprinting as part of your TCP
> stack. For example, you can respond with weird TCP options on every
> single TCP connection, then judging from the responses, you can more
> closely identify the OS. Naturally, you have to be careful of the
> features you use so that connections don't get dropped. Thus, you
> aren't sending any "new" packets, but you are piggybacking information
> on top of them.

Knowning the OS doesn't really do much unless you intend to exploit that
information.  In that case, once again you have problems with culpability
and compromised hosts.

> > So let's say the spoofed request is such a request itself, with the
> > attacker claiming to be the victim of their own spoof?
>
> Exactly my point about solving simple pathological conditions. I
> wouldn't trigger on simple things like NetBIOS nodestatus, but I would
> trigger on an attempt to access a CGI script that I don't have
> installed but for which there exists well-known holes. In other words,
> the response should always be significantly less severe than the
> supposed attack. In any case, I propose doing nothing than isn't
> "normal" traffic anyway (except for TCP fingerprinting).

But if I've blind spoofed victim.com's connection to you, and requested
that cgi with "?/bin/sh cat ++>/.rhosts" appended to it, you're still
probing the wrong person.  If I own victim.com's upstream, your probes are
going to someone who isn't even involved in the exchange, and you may be
commiting a felony unbeknownst to yourself, in victim.com's location.  

> Again, I am trying to restrict myself to "legitimate" traffic. Is it
> illegal, anywhere, to ping somebody? For the most part, this is
> untried in courts (except for Norway). From what I read in the US law,
> an "auto-nuke" program would be illegal, but an "auto-NetBIOS" would
> not be.

Look at Oregon's statute that Randall Schwartz was prosecuted under, if
they log the ping, you're changing data on their computer without
permission (as I read the statute, the original and updated ones are
online somewhere, a search for intel vs. schwarts should find them). 

There are, unfortunately no federal standards, and the states
make their own rules, so it *may* be illegal to ping someone (enforced,
rational, or not), and worse yet, it may be illegal next month somewhere -
don't get me wrong, I'm not saying it's not a good idea, I'm just saying
there's potentially high risk in the activity, and I'd want a *very good*
legal opinion, lack of administrator culpability, legal insurance, and a
couple of other things before I'd seriously consider setting up such an
automated system.  

On the other side of that case, I'd be saying "If you can detect the probe
as an attack, why not simply dynamically filter packets from the attacker,
why did you have to harm my innocent user who's idiotic provider was
illicitly trojaned by unknown attackers?  Your screen popping up affected
my user's production deadline, and we'll be addressing that in civil
court."

If you can detect it, you can /dev/null it, and that shouldn't be legally
questionable anywhere unless you've signed a really bad service contract
with someone.

> > Now, if we had a Colordo-esque "Go ahead make my Network" law...
> ...and the hacker's name would be "d1r7Y H41rY" :-)

Now all I need is IPv44 :)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280