Re: FW: BlackIce Defender???

["Craig H. Rowland" <crowland () psionic com>]

> -----BEGIN PGP SIGNED MESSAGE-----
>
> nuqneH,
>
> I don't think active defense (this way at least) is a good idea. 
> Yep, it sounds cool and looks like advanced technology ;) but imho 
> it adds little to security and opens many new DoS possibilities.

You know *everybody* says this. In fact when I first wrote the tool I only
had it do full TCP connect() detection to prevent this issue. Later when I
added the UDP and stealth modes (which are susceptible to spoofed scans) I
thought that I was going to be causing a major headache for users and
labeled the modes as "experimental" (aka. "I can pull this feature out
anytime I want without reason"). 

What I re-discovered though is that reality and theory are many times
mutually exclusive. 

I released the tool with the new modes and waited for the onslaught. I
expected some people to balk and present the idea of the DOS attack. I
expected others to release tools to attack the system. In fact both
happened. Someone released a tool called "antisentry.c" which just did a
simple port scan spoof. Even better, the popular scanner "nmap" added
its "decoy" option specifically because of the PortSentry tool[1]. So,
what was my response? I waited. 

I was waiting to hear the user complaints come rolling in asking me about
the problem and telling me about the DOS attacks. I was waiting for the
flame mail. Lastly, I was basically waiting for the sky to fall.

So you ask how many complaints have I received to date, almost two years
after releasing the tool referring to DOS attacks? 

Zero.

Yes that's right, *nobody* has ever written me about having a DOS done
on them with the tool. 

Does this mean that people don't use this technique? Well of course not,
but I don't think it is as big as issue as the theorists claim if a proper
sense of caution is used. In the documentation I explain the DOS issue
quite clearly and issue scenarios and motives on why I think the attack
won't be prevalent. Here they are again in a nutshell:

1) A person using a stealth scan wants to remain hidden.
2) A spoofed scan reveals the intent of an attacker without allowing them
access to the network.
3) Many networks don't allow spoofed packets appearing from other networks
to exit their borders (anti-spoof filters). 
4) Decoy scanning slows down wide-spread scanning and makes you more
noticeable from the compromised hosts.
5) Most attackers don't know you run PortSentry until they have activated
it.

So basically you need to look at why an attacker is spoofing scans and
what it buys them. Usually it buys them nothing and lets the administrators
know someone is there, even if that someone is a forgery. 

I know some people have had a PortSentry DOS used against them, but this
usually was by people they know, or in a situation where they shouldn't be
using the spoofable scan detection methods. Typically they were on IRC and
one of their friends decided it would be funny. 

Keep in mind too that I only recommend the full connect() TCP scan
detection mechanism because full connect blind spoofs are relatively
difficult to do (even though Linux has had some issues with this lately).
Also most scan attempts are not stealth scans, they are full connections
to help grab banners or to auto-run an attack for instant access.
I think if you are a high profile site you shouldn't run the stealth scan
detection modes because of the critical nature of services you may
provide (i.e. I don't run the stealth/UDP detection modes on my
external servers). For most users though, you are fine running the stealth
modes because most people scanning your host are not out to DOS you, they
are out to get onto your system. 

So what is the lesser of the two evils? I personally feel that the (very)
small chance of a DOS attack is far outweighed by the potential to
automatically stop the attacker in his/her tracks. The choice is the end
user's though on what they want to do:

1) Run the tool with the spoofable detection modes (UDP, stealth).
2) Run the tool with the non-spoofable detection modes (TCP full
connect).
3) Don't run the tool with auto-blocking turned on.
4) Don't run the tool at all.

As hard as it is going to be for the theorists to accept, the reality is
that not many people are using PortSentry to DOS others. Sorry to
disappoint.


-- Craig

[1] Fyodor was at my talk at DefCon and we chatted for a bit afterward and
he said PortSentry was what made him put in the "decoy" option. Does this
mean I get a mention in the credits file? :)