Re: Response to door knocking

[Robert Graham <robert_david_graham () yahoo com>]

You bring up some good points.

---"Paul D. Robertson" <proberts () clark net> wrote:
> On Thu, 28 Jan 1999, Robert Graham wrote:
>
> > 1. nbstat (NetBIOS node status request).
> > 2. identd protocol
> > 3. GET / HTTP/1.0
> > 4. OS fingerprint (a la. nmap or queso)
> These could all be considered door knocking in their own right,
especially
> if the first knock is spoofed.  Then we end up with the echo spoof
> recreated. 

Windows machines already do NetBIOS nodestatus requests (which
firewall maintainers see all the time). Thus, if I set up a Windows NT
5.0 web server, it will use randomized TCP seqno (makes spoofing
almost impossible with being inline) and it will do reverse DNS and
NetBIOS to resolve the incoming IP address. 

Likewise, I know of several websites that do identd as a matter of
policy. 

TCP fingerprinting is even more interesting. The current programs I
know of (nmap, queso) send TCP packets to essentially new connections.
But, you can equally include such fingerprinting as part of your TCP
stack. For example, you can respond with weird TCP options on every
single TCP connection, then judging from the responses, you can more
closely identify the OS. Naturally, you have to be careful of the
features you use so that connections don't get dropped. Thus, you
aren't sending any "new" packets, but you are piggybacking information
on top of them.

[You can get even more evil. Let's say that we discover an illegal TCP
packet that will crash many machines -- but only if it part of a
legitimate TCP connection. Thus, they will only crash if they have
attacked you, but will not crash if they are innocent. Fun to think
about.]

> > Thus, we are pretty sure about the source of the attack. First, we
> > send a simple NetBIOS nodestatus request (UDP port 137) to the
> > offending machine to potentially gather that users login
information. 
> So let's say the spoofed request is such a request itself, with the
> attacker claiming to be the victim of their own spoof?

Exactly my point about solving simple pathological conditions. I
wouldn't trigger on simple things like NetBIOS nodestatus, but I would
trigger on an attempt to access a CGI script that I don't have
installed but for which there exists well-known holes. In other words,
the response should always be significantly less severe than the
supposed attack. In any case, I propose doing nothing than isn't
"normal" traffic anyway (except for TCP fingerprinting).

> > If you don't care about evidence and simply want to scare them off,
> > you can use the SMB messenger service or rwall to popup a message on
> > their screen. Again, this assumes either NetBIOS or Sun RPC enabled
> > respectively. Such a message would simply say "You are
> > cybertrespassing and probably breaking several laws for which we
will
> > prosecute".
>
> Of course, you're doing the same thing if the attacker isn't the
primary
> user of the machine, or if the packets are spoofed.  Since you
presumably
> aren't law enforcement, there's hot "hot persuit" law to protect
you, and
> since the attacker could be from any country, you may be placing
yourself
> in jeapordy in a foreign jursidiction.  
>
> That's why I said it's not trivial to figure out how to respond to
door
> knocking.  Automatic response takes more thought, and generally lots
of
> talking with the lawgeeks.

Again, I am trying to restrict myself to "legitimate" traffic. Is it
illegal, anywhere, to ping somebody? For the most part, this is
untried in courts (except for Norway). From what I read in the US law,
an "auto-nuke" program would be illegal, but an "auto-NetBIOS" would
not be.

> Now, if we had a Colordo-esque "Go ahead make my Network" law...
...and the hacker's name would be "d1r7Y H41rY" :-)

Rob.

_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com