Firewall Wizards mailing list archives
Re: ipchains FW, monitoring for scans, & how to react to them
From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 21 Dec 1999 17:02:18 -0800 (PST)
Auto-response to intrusion is extremely bad for two reasons: 1. the ability to spoof addresses 2. the incidence of false-positives This is something we had to confront when creating our "Defender" product (firewall + IDS for Windows). It came down to having to configure the appropriate firewall response for each intrusion. Incoming dropped TCP SYN packets have no effect on the firewall configuration, because they can both be spoofed and result in false positives. On the other hand, if we see an OUTGOING response to a BackOrifice request, we immediately shut down all communication with the offending IP address. BackOrifice is virtually impossible to have a false positive since the protocol is so destinctive. Likewise, you can spoof the responses in the outgoing path. Rob. --- Thom Dyson <TDyson () sybex com> wrote:
A conversation about this sort of auto-blocking came up at the SANS conference last week. It was pointed out that if you have this, it could be the basis of a very effective DoS attack with just a little IP spoofing. Given the trend toward low and slow scans, your "DENY flush" interval would have to be fairly long. You have to weigh the risks in your environment. A couple of the speakers on intrusion detection basically said, "We get so many probes on things like IMAP and BO, that as long as they are outside the firewall, they just aren't that interesting." It is probes inside the firewall(s) that are interesting. They weren't too worried about probes for services that they know aren't running on a particular machine. It was the unknown probes (a la new trojans) that seemed to be the biggest concern. WRT firewalling on the web server without a second separate fw, I'm a huge fan of one task per machine. Ipchains on the web server is a good idea, but not as a replacement for a separate perimeter defense. Thom Dyson Director of Information Services Sybex, Inc |--------+-----------------------> | | Danny | | | Rathjens | | | <dkr@hq.mycit| | | y.com> | | | | | | 12/20/1999 | | | 04:46 PM | | | Please | | | respond to | | | Danny | | | Rathjens | | | | |--------+-----------------------> >-----------------------------------------------------------------------| | | | To: Firewalls <firewall-wizards () nfr net> | | cc: (bcc: Thom Dyson/Sybex) | | Subject: ipchains FW, monitoring for scans, & how to react | | to them | >-----------------------------------------------------------------------| My question is how do you all feel about essentially doing the firewalling on the webserver itself with ipchains instead of a separate box that everything is filtered through. I'd also like any comments on my two ways of setting ipchains rules/portsentry and how to respond to probes of my boxen: 1. On a web server I thought it was a cool idea to have portsentry running and when it detected a connection to some port like 110, 1, or 31337, it would alert me and drop an ipchains rule in place that would prevent all further connections to any local port from the 'attacking' ip. Then I could have a cron'd script go through and flush these rules every once in a while. This way I would prevent any immediately following exploit/scan attempts from the same host, and still not have to worry about random dial-up and/or spoofed ip's belonging to my customers not working at some future time. So I am trying to foil attempts from a single IP once I know they are likely up to no good, but I let the shields down after a little while to avoid any problems with delivering my web content to the world. [snip]
===== Robert Graham "Anxiously awaiting the millenium so I can start programming dates with 2-digits again." __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com
Current thread:
- Re: ipchains FW, monitoring for scans, & how to react to them, (continued)
- Re: ipchains FW, monitoring for scans, & how to react to them Crispin Cowan (Dec 21)
- Re: ipchains FW, monitoring for scans, & how to react to them Danny Rathjens (Dec 21)
- war dialers, are they a current threat? R. DuFresne (Dec 22)
- Re: war dialers, are they a current threat? S. Jonah Pressman (Dec 24)
- RE: war dialers, are they a current threat? Joseph Judge (Dec 26)
- Re: war dialers, are they a current threat? Dorian Moore (Dec 28)
- Message not available
- Re: war dialers, are they a current threat? Eric Budke (Dec 24)
- Re: ipchains FW, monitoring for scans, & how to react to them cbrenton (Dec 23)