Firewall Wizards mailing list archives
Response to door knocking
From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 28 Jan 1999 22:25:03 -0800 (PST)
---"Paul D. Robertson" <proberts () clark net> wrote:
I don't know anyone who doesn't have difficulty deciding how to
react to
door-knocking. Well, besides whoever that was who used to
automatically
e-mail zone contacts for any connect attempt, and I think they had
problems
with the results of their decision.
What are some legitimate responses to door knocking? Sending out automated e-mail seems to be a pathological response given the likelyhood that IP addresses can be spoofed. How about these ideas: 1. nbstat (NetBIOS node status request). 2. identd protocol 3. GET / HTTP/1.0 4. OS fingerprint (a la. nmap or queso) 5. link speed identification Let's take the extreme case where we've detected an intruder over a TCP connection whereby we know the TCP sequence number hasn't been spoofed (i.e. those operating systems with patches against spoofing). Thus, we are pretty sure about the source of the attack. First, we send a simple NetBIOS nodestatus request (UDP port 137) to the offending machine to potentially gather that users login information. In the most extreme case, we do an OS fingerprint scheme like nmap or queso that sends a series of strange TCP packets/options/flags to the intruder in order to "fingerprint" the operating system. For example, we can likely tell whether they are using Windows or Linux or Mac or Solaris etc, even if no ports are open. Likewise, by sending varying size ping packets at the target, we can get a good fingprint of their link speed (assuming our link is faster than their link). In essence, I can likely gather the user name, machine type, and operating system. Of course, this won't be effective against real hackers but would gather a lot of evidence against script kiddies (which are more numerous). If you don't care about evidence and simply want to scare them off, you can use the SMB messenger service or rwall to popup a message on their screen. Again, this assumes either NetBIOS or Sun RPC enabled respectively. Such a message would simply say "You are cybertrespassing and probably breaking several laws for which we will prosecute". Assuming that you take care of the obvious pathalogical cases (be careful about false positives, IP spoofing, and throttling the rate at which you send such messages, etc.), are there any problems with this scheme? Rob. _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Response to door knocking Robert Graham (Jan 29)