Firewall Wizards mailing list archives

Re: ipchains FW, monitoring for scans, & how to react to them

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 21 Dec 1999 17:02:18 -0800 (PST)

Auto-response to intrusion is extremely bad for two reasons:
1. the ability to spoof addresses
2. the incidence of false-positives

This is something we had to confront when creating our "Defender" product
(firewall + IDS for Windows). It came down to having to configure the
appropriate firewall response for each intrusion.

Incoming dropped TCP SYN packets have no effect on the firewall configuration,
because they can both be spoofed and result in false positives. On the other
hand, if we see an OUTGOING response to a BackOrifice request, we immediately
shut down all communication with the offending IP address. BackOrifice is
virtually impossible to have a false positive since the protocol is so
destinctive. Likewise, you can spoof the responses in the outgoing path.

Rob.

--- Thom Dyson <TDyson () sybex com> wrote:

A conversation about this sort of auto-blocking came up at the SANS
conference last week.  It was pointed out that if you have this, it could
be the basis of a very effective DoS attack with just a little IP spoofing.
Given the trend toward low and slow scans, your "DENY flush" interval would
have to be fairly long.  You have to weigh the risks in your environment.

A couple of the speakers on intrusion detection basically said, "We get so
many probes on things like IMAP and BO, that as long as they are outside
the firewall, they just aren't that interesting."  It is probes inside the
firewall(s) that are interesting.  They weren't too worried about probes
for services that they know aren't running on a particular machine.  It was
the unknown probes (a la new trojans) that seemed to be the biggest
concern.

WRT firewalling on the web server without a second separate fw, I'm  a huge
fan of one task per machine.  Ipchains on the web server is a good idea,
but not as a replacement for a separate perimeter defense.

Thom Dyson
Director of Information Services
Sybex, Inc


|--------+----------------------->
|        |          Danny        |
|        |          Rathjens     |
|        |          <dkr@hq.mycit|
|        |          y.com>       |
|        |                       |
|        |          12/20/1999   |
|        |          04:46 PM     |
|        |          Please       |
|        |          respond to   |
|        |          Danny        |
|        |          Rathjens     |
|        |                       |
|--------+----------------------->
  >-----------------------------------------------------------------------|
  |                                                                       |
  |       To:     Firewalls <firewall-wizards () nfr net>                    |
  |       cc:     (bcc: Thom Dyson/Sybex)                                 |
  |       Subject:     ipchains FW, monitoring for scans, & how to react  |
  |       to them                                                         |
  >-----------------------------------------------------------------------|






My question is how do you all feel about essentially doing
the firewalling on the webserver itself with ipchains instead
of a separate box that everything is filtered through.
I'd also like any comments on my two ways of setting ipchains
rules/portsentry and how to respond to probes of my boxen:
1. On a web server I thought it was a cool idea to have portsentry
running and when it detected a connection to some port like 110,
1, or 31337, it would alert me and drop an ipchains rule in place
that would prevent all further connections to any local port
from the 'attacking' ip.  Then I could have a cron'd script go
through and flush these rules every once in a while.  This way
I would prevent any immediately following exploit/scan attempts
from the same host, and still not have to worry about random
dial-up and/or spoofed ip's belonging to my customers not working
at some future time.
So I am trying to foil attempts from a single IP once I know
they are likely up to no good, but I let the shields down after
a little while to avoid any problems with delivering my web
content to the world.
[snip]



=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com

Current thread:

Re: ipchains FW, monitoring for scans, & how to react to them, (continued)
- - - Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
    - Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
    - war dialers, are they a current threat? R. DuFresne (Dec 22)
    - Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
    - RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
    - Re: war dialers, are they a current threat? Dorian Moore (Dec 28)
    - Message not available
    - Re: war dialers, are they a current threat? Eric Budke (Dec 24)
- Re: ipchains FW, monitoring for scans, & how to react to them daN. (Dec 30)
- Re: ipchains FW, monitoring for scans, & how to react to them Thom Dyson (Dec 21)
  - Re: ipchains FW, monitoring for scans, & how to react to them cbrenton (Dec 23)
- Re: ipchains FW, monitoring for scans, & how to react to them Robert Graham (Dec 22)