Re: Response to door knocking

[Robert Graham <robert_david_graham () yahoo com>]

---Ulrich Flegel <Ulrich.Flegel () CS Uni-Dortmund DE> wrote:
> You name them. Unmasking IP spoofing without cooperating
> routers/sniffers upsream to the alleged agressor I don't see how you
> want to discern real IPs from spoofed IPs. In worst case the attacker
> uses you to attack someone else.

I don't think my position was well understood. I don't propose
"attacking" a site. 

If somebody sends spoofed traffic to your site, you will be sending
traffic to that spoofed address when you respond. Thus, you are
already "guilty" of sending unsolicited traffic to that spoofed IP
address. Today I can force anybody to TCP scan anybody else by
spoofing (i.e. I send a spoofed SYN A->B packet to a closed port, B
replies RST B->A; I then spoof a range of ports on packets to A to
scan all the ports on B. Of course, I never see the results but that
isn't the point).

Thus, let's assume I TCP scan anybody that hacks me. It seems of
little difference whether you force me to TCP scan an innocent party
by the first method, or by triggering the counter-attack method.

In any case, even TCP scanning is more aggressive than I am proposing.
For example, what if created a policy whereby every new TCP connection
that I haven't seen in the past 24-hours generates a NetBIOS
nodestatus request to find the name? This "feature" is already
implemented in Windows, what if I wanted to add a utility to UNIX that
does the same thing?

The technical arguments against this haven't really impressed me. For
example, a man-near-the-middle (i.e. with a sniffer) style spoofing
has been a common argument, but I don't really consider it because the
man-near-the-middle attack can more easily spoof an attack against
somebody as spoof an attack against me to trigger that NetBIOS packet.

What I think is more interesting is the legal implications. Except
possibly in Norway (where their Supreme Court has pretty much
legalized such activity), this type of activity hasn't really been
worked out in the court system. For the most part, the legal arguments
about such activities will be partially be decided by the technical
merits. For example, from one perspective, sending any IP traffic to
someone could be considered misuse of their computer resources. But as
I mentioned before, you can spoof ANYONE into sending packets to
ANYONE else. Again, the question is not necessarily whether you
attacked somebody, but how justified you were in piggybacking
information gathering packets along with legitimate responses.

Moreover, so far, this question as been considered only from a single
angle. If I put a Linux machine on the Internet and advertised the
root password for it and allowed anybody to log on, I am potentially
liable for hackers who log onto that box, then go from there to hack
other sites. Thus, if I don't take "reasonable" measures against
hackers, I can be sued. Consider a scenario where an unknown hacker
broke into my site, then used it as a stepping stone to attack VICTIM.
Now, the hacker remains unknown and the VICTIM is suing me. Gosh,
wound't it have been nice to have gathered additional information that
my forensics team and the police could have used to track down the
hacker?

Thus, given all the spoofing and legal ramifications, I would not be
scared in implementing an auto-NetBIOS feature as described. I a might
get sued, but somebody else with a Windows box is likely to be sued
first. Furthermore, I think I'd appreciate that extra little bit of
information from all those script-kiddies out there (because in
practice, I will likely get useful info). But of course, the reason I
post this idea on this list is so that you guys can poke holes in my
reasoning.

Rob.


_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com