Firewall Wizards mailing list archives
Re: Response to door knocking
From: Robert Graham <robert_david_graham () yahoo com>
Date: Fri, 29 Jan 1999 14:47:44 -0800 (PST)
You bring up some good points. ---"Paul D. Robertson" <proberts () clark net> wrote:
On Thu, 28 Jan 1999, Robert Graham wrote:1. nbstat (NetBIOS node status request). 2. identd protocol 3. GET / HTTP/1.0 4. OS fingerprint (a la. nmap or queso)These could all be considered door knocking in their own right,
especially
if the first knock is spoofed. Then we end up with the echo spoof recreated.
Windows machines already do NetBIOS nodestatus requests (which firewall maintainers see all the time). Thus, if I set up a Windows NT 5.0 web server, it will use randomized TCP seqno (makes spoofing almost impossible with being inline) and it will do reverse DNS and NetBIOS to resolve the incoming IP address. Likewise, I know of several websites that do identd as a matter of policy. TCP fingerprinting is even more interesting. The current programs I know of (nmap, queso) send TCP packets to essentially new connections. But, you can equally include such fingerprinting as part of your TCP stack. For example, you can respond with weird TCP options on every single TCP connection, then judging from the responses, you can more closely identify the OS. Naturally, you have to be careful of the features you use so that connections don't get dropped. Thus, you aren't sending any "new" packets, but you are piggybacking information on top of them. [You can get even more evil. Let's say that we discover an illegal TCP packet that will crash many machines -- but only if it part of a legitimate TCP connection. Thus, they will only crash if they have attacked you, but will not crash if they are innocent. Fun to think about.]
Thus, we are pretty sure about the source of the attack. First, we send a simple NetBIOS nodestatus request (UDP port 137) to the offending machine to potentially gather that users login
information.
So let's say the spoofed request is such a request itself, with the attacker claiming to be the victim of their own spoof?
Exactly my point about solving simple pathological conditions. I wouldn't trigger on simple things like NetBIOS nodestatus, but I would trigger on an attempt to access a CGI script that I don't have installed but for which there exists well-known holes. In other words, the response should always be significantly less severe than the supposed attack. In any case, I propose doing nothing than isn't "normal" traffic anyway (except for TCP fingerprinting).
If you don't care about evidence and simply want to scare them off, you can use the SMB messenger service or rwall to popup a message on their screen. Again, this assumes either NetBIOS or Sun RPC enabled respectively. Such a message would simply say "You are cybertrespassing and probably breaking several laws for which we
will
prosecute".Of course, you're doing the same thing if the attacker isn't the
primary
user of the machine, or if the packets are spoofed. Since you
presumably
aren't law enforcement, there's hot "hot persuit" law to protect
you, and
since the attacker could be from any country, you may be placing
yourself
in jeapordy in a foreign jursidiction. That's why I said it's not trivial to figure out how to respond to
door
knocking. Automatic response takes more thought, and generally lots
of
talking with the lawgeeks.
Again, I am trying to restrict myself to "legitimate" traffic. Is it illegal, anywhere, to ping somebody? For the most part, this is untried in courts (except for Norway). From what I read in the US law, an "auto-nuke" program would be illegal, but an "auto-NetBIOS" would not be.
Now, if we had a Colordo-esque "Go ahead make my Network" law...
...and the hacker's name would be "d1r7Y H41rY" :-) Rob. _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
(Thread continues...)