Firewall Wizards mailing list archives
Re: Response to door knocking
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 29 Jan 1999 18:29:39 -0500 (EST)
On Fri, 29 Jan 1999, Robert Graham wrote:
Windows machines already do NetBIOS nodestatus requests (which firewall maintainers see all the time). Thus, if I set up a Windows NT
That doesn't necessarily make a wilful probe in response to a potential probe legally permitted. I'd certainly advise having your legal counsel approve such a response prior to implementing it.
5.0 web server, it will use randomized TCP seqno (makes spoofing
NT4's "random" sequence nubmers are known predicatble even after a patch to fix it, I've not seen any measurements on NT5, but I'm not sure I'd want to go into court to try to prove that it couldn't possibly have been someone with an HTTP_REFERER address linked to the next sequence number backtracking. Worse yet, if the client is predictable, and I've managed to send them to you and initiate a spoofed probe based on some outside (to the process of them and you communication) channel, you're now attacking (clueless|innocent) victim. If DNA tests can't be trusted, how the heck will you explain random sequence numbers to a jury "If he can't predict you must convict?" (ugh, that was bad)
almost impossible with being inline) and it will do reverse DNS and NetBIOS to resolve the incoming IP address. Likewise, I know of several websites that do identd as a matter of policy.
The law doesn't just look at what happened, it often looks at intent. Also, once again you're talking about a potential jurisdictional issue that spans the planet.
TCP fingerprinting is even more interesting. The current programs I know of (nmap, queso) send TCP packets to essentially new connections. But, you can equally include such fingerprinting as part of your TCP stack. For example, you can respond with weird TCP options on every single TCP connection, then judging from the responses, you can more closely identify the OS. Naturally, you have to be careful of the features you use so that connections don't get dropped. Thus, you aren't sending any "new" packets, but you are piggybacking information on top of them.
Knowning the OS doesn't really do much unless you intend to exploit that information. In that case, once again you have problems with culpability and compromised hosts.
So let's say the spoofed request is such a request itself, with the attacker claiming to be the victim of their own spoof?Exactly my point about solving simple pathological conditions. I wouldn't trigger on simple things like NetBIOS nodestatus, but I would trigger on an attempt to access a CGI script that I don't have installed but for which there exists well-known holes. In other words, the response should always be significantly less severe than the supposed attack. In any case, I propose doing nothing than isn't "normal" traffic anyway (except for TCP fingerprinting).
But if I've blind spoofed victim.com's connection to you, and requested that cgi with "?/bin/sh cat ++>/.rhosts" appended to it, you're still probing the wrong person. If I own victim.com's upstream, your probes are going to someone who isn't even involved in the exchange, and you may be commiting a felony unbeknownst to yourself, in victim.com's location.
Again, I am trying to restrict myself to "legitimate" traffic. Is it illegal, anywhere, to ping somebody? For the most part, this is untried in courts (except for Norway). From what I read in the US law, an "auto-nuke" program would be illegal, but an "auto-NetBIOS" would not be.
Look at Oregon's statute that Randall Schwartz was prosecuted under, if they log the ping, you're changing data on their computer without permission (as I read the statute, the original and updated ones are online somewhere, a search for intel vs. schwarts should find them). There are, unfortunately no federal standards, and the states make their own rules, so it *may* be illegal to ping someone (enforced, rational, or not), and worse yet, it may be illegal next month somewhere - don't get me wrong, I'm not saying it's not a good idea, I'm just saying there's potentially high risk in the activity, and I'd want a *very good* legal opinion, lack of administrator culpability, legal insurance, and a couple of other things before I'd seriously consider setting up such an automated system. On the other side of that case, I'd be saying "If you can detect the probe as an attack, why not simply dynamically filter packets from the attacker, why did you have to harm my innocent user who's idiotic provider was illicitly trojaned by unknown attackers? Your screen popping up affected my user's production deadline, and we'll be addressing that in civil court." If you can detect it, you can /dev/null it, and that shouldn't be legally questionable anywhere unless you've signed a really bad service contract with someone.
Now, if we had a Colordo-esque "Go ahead make my Network" law......and the hacker's name would be "d1r7Y H41rY" :-)
Now all I need is IPv44 :) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
(Thread continues...)