Firewall Wizards mailing list archives
Re: Response to door knocking
From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 2 Feb 1999 18:35:05 -0800 (PST)
---Ulrich Flegel <Ulrich.Flegel () CS Uni-Dortmund DE> wrote:
You name them. Unmasking IP spoofing without cooperating routers/sniffers upsream to the alleged agressor I don't see how you want to discern real IPs from spoofed IPs. In worst case the attacker uses you to attack someone else.
I don't think my position was well understood. I don't propose "attacking" a site. If somebody sends spoofed traffic to your site, you will be sending traffic to that spoofed address when you respond. Thus, you are already "guilty" of sending unsolicited traffic to that spoofed IP address. Today I can force anybody to TCP scan anybody else by spoofing (i.e. I send a spoofed SYN A->B packet to a closed port, B replies RST B->A; I then spoof a range of ports on packets to A to scan all the ports on B. Of course, I never see the results but that isn't the point). Thus, let's assume I TCP scan anybody that hacks me. It seems of little difference whether you force me to TCP scan an innocent party by the first method, or by triggering the counter-attack method. In any case, even TCP scanning is more aggressive than I am proposing. For example, what if created a policy whereby every new TCP connection that I haven't seen in the past 24-hours generates a NetBIOS nodestatus request to find the name? This "feature" is already implemented in Windows, what if I wanted to add a utility to UNIX that does the same thing? The technical arguments against this haven't really impressed me. For example, a man-near-the-middle (i.e. with a sniffer) style spoofing has been a common argument, but I don't really consider it because the man-near-the-middle attack can more easily spoof an attack against somebody as spoof an attack against me to trigger that NetBIOS packet. What I think is more interesting is the legal implications. Except possibly in Norway (where their Supreme Court has pretty much legalized such activity), this type of activity hasn't really been worked out in the court system. For the most part, the legal arguments about such activities will be partially be decided by the technical merits. For example, from one perspective, sending any IP traffic to someone could be considered misuse of their computer resources. But as I mentioned before, you can spoof ANYONE into sending packets to ANYONE else. Again, the question is not necessarily whether you attacked somebody, but how justified you were in piggybacking information gathering packets along with legitimate responses. Moreover, so far, this question as been considered only from a single angle. If I put a Linux machine on the Internet and advertised the root password for it and allowed anybody to log on, I am potentially liable for hackers who log onto that box, then go from there to hack other sites. Thus, if I don't take "reasonable" measures against hackers, I can be sued. Consider a scenario where an unknown hacker broke into my site, then used it as a stepping stone to attack VICTIM. Now, the hacker remains unknown and the VICTIM is suing me. Gosh, wound't it have been nice to have gathered additional information that my forensics team and the police could have used to track down the hacker? Thus, given all the spoofing and legal ramifications, I would not be scared in implementing an auto-NetBIOS feature as described. I a might get sued, but somebody else with a Windows box is likely to be sued first. Furthermore, I think I'd appreciate that extra little bit of information from all those script-kiddies out there (because in practice, I will likely get useful info). But of course, the reason I post this idea on this list is so that you guys can poke holes in my reasoning. Rob. _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
- Re: Response to door knocking Joseph S D Yao (Feb 08)
- Re: Response to door knocking JohnLNick (Feb 08)