Re: DNS Names for external services

[david () lang hm]

On Mon, 26 Apr 2010, Morty Abzug wrote:

> On Fri, Apr 23, 2010 at 12:20:17PM -0700, david () lang hm wrote:
>
> > > > Likewise, if you don't run an FTP server (or CVS, or POP3, or...),
> > > > setup DNS records for those pointing to your honeypot. Use it to
> > > > respond in anyway you see fit for defense of your network (blocking
> > > > the IP, etc).
>
> > > What happens when one of your legit users says "I wonder if we have an
> > > FTP server?" and tries ftp.$YOURCOMPANY.com just to see if it answers?
>
> > if your server is locked down, nothing (other than an additional
> > failed login)
>
> Re-read above.  GP advocated setting up a honeypot on well-known names
> that *blocks* the source IP.  The problem with this is that if
> $legit_user of your company/organization says 'hey, I see
> "ftp.$mycompany.com" resolves' and tries it, you will block
> $legit_user's source IP.

so an attacker scan you from many different IP addresses, in different 
orders, and then uses different addresses to attack you.

your approach helps, but will not keep you safe.

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards