Re: Annoy Those Sub7 Scanners.

[Guillaume Filion <gfk () LOGIDAC COM>]

At 14:37 -0700 26/08/00, Max wrote:
> Tired of getting all those Sub7 scans?
> Well, why not make their life a little more difficult!
>
> It appears that when Sub7 scans a port that chargen is sitting on,
> it can't handle it, and crashes. A three-finger-salute is needed to regain any
> use of Windows.
>
> -Max
> [FCS] Yeah, We Regulate [FCS]

While it's maibe a good idea, let's not forget all the flames wars
about counter-attacks and everything. I won't go into this, but I'll
post a copy of an old email written by Michael H. Warfield in the
Abacus mailling list which is so complete is looks like an essay
about counter attacking:

---------------------------------------
>  A really long answer, but now let's talk about reality and security.

        Ohhkkk...  Seeing as I'm the Senior Researcher and Fellow at
Internet Security Systems, I guess I'm qualified to speak to some of
both reality and security.  Sure.  Why not...  ;-/

>  I agree with you about all that you've said, but I really don't think that
>  things can so so far.

        Welll...  As long as we are talking about reality, yes, things
do go so far.  They have gone that far and will go that far in the future
with chumps that put up counter reaction systems.

        I cited a few examples.  These are reality.  They really did
happen.  There are others on record.  There will be more since, as the
old saying goes, those who fail to learn from history are doomed to
repeat it.

        I know some of the clowns who would do exactly that (play a
sucker's reaction system against him), just for the thrill of embarassing
a site operator.  You better believe that these guys also understand the
term "tune for maximum smoke" very well.  The security expert with the
E-Mail responder who got caught with his pants down didn't get half
the shelacing that he could have (some say should have) gotten.

>  Let's imagine a tipical wannabe, he's seen my web and decides to "check" my
>  security. The first thing is to make a portscan from his windows machine. He
>  can see no port open, even the 80 and that looks strange for him, so he
>  tries to watch the web again.

        "Imagine"?  I thought we were talking reality here.  In any case,
he's not your biggest problem, if he's a problem at all.

>  Yeeepa! The web doesn't appear. Really strange, so he pings my machine
>  and... it doesn't answer. He starts thinking that he has probably made a DoS
>  or something by mistake and has "switched-off" my server. Immediately he
>  tells all his irc-friends but they can see the web so... what happens?

        Doesn't come down that way.  I've been running portsentry for a couple
of years now on several networks and haven't seen a single instance.  We are
talking reality here, right?

>  If he's a bit intelligent as to have seen the programs in Packetstorm he
>  will remember some protection programs... Wow, he has touched an intelligent
>  and protected system... If he's intelligent enough and has Linux installed
>  he won't wait too long to reconect with another IP and start making
>  different portscans until he finds one that our program can't detect.

>  And all of his curiosity started because WE (it's supposed that everybody in
>  this list use Abacus solutions) are using a program which denies that person
>  if he detects an attack.

        I thought you were talking reality, not conjecture.  The reality
is wide spred port scans trolling vast extenses of addresses looking for
something to respond.  The reality is automatons that are just scanning
for imap or sub7 or netbus.  If an address space is "dark", their detectors
never give a peep and they just keep trolling into the night.  Reason I know
this is that I have portsentry on a firewall protecting a /19 behind it and
I can see the patterns.  I can see the wide scans (scanning across IP
addresses looking for only one or two services) and I and see the deep
scans (picking a known good IP address and scanning for what services are
available), I can see the distributed scans (scanning from multiple IP
addresses to reduce port scanning detection), and I can see the slow scans
(dribbling scan attempt at a slow rate to remain in the noise).

        You've knocked yourself out by first saying he's a wannabe and
then attibuting this mallice to him that he's picked out your system and
he's going to all this effort on it.  No.  The wannabes are going to scan
as much as possible as fast as possible for something they are interested
in.  If they don't find anything, they keep going.  If they do find what
their looking for, they'll be all over you.  If they find something else
interesting, that's when they let their buddies know.  Most of their tools
are automated.  They pick up the results after running address scans all
night.  No response, no alert, the address gets ignored.

        The steriotypical image of a PFY (pimply faced youth) staring
blurry eyed at a tub all night while picking apart web server after web
server is largely fiction (not totally fiction - but largely).  Now, they
start a job and pick up results every few hours.  Nothing shows up, chances
are good they don't even know they scanned your address.

        Remember too that stateful analysis (check a service, if there
do a scan, then recheck the service) is costly and slow compared to
the massive parallel scans that are in use now.  It doesn't scale well
to large numbers of addresses.  It's going to be employed against you
only after you've attracted their attention.  Until then, they get their
biggest bang for their computing buck by doing stateless scans scaled
up and run in parallel.  I've written tools that do both, parallel
port scans and stateful vulnerability checks.  I wrote a "Ping 'O Death"
check that basically pinged a system, if the system responded fired the
"Ping 'O Death" at it and then rechecked the normal ping to see if the system
survived.  The port scanners "haul ass" compared to something even as simple
as that one test.

>  Now think about if he was really attacking my sysem or not... if you
>  configure Portsentry to wait for a few of forbidden ports to be touch then
>  that person is REALLY CHECKING the system (until this moment it can't be
>  considered as an attack, as a judge said many months ago).

        The guy that checks your system and then does a port scan and then
double checks your system is a step above the "wannabes" and is already
interested in your system for some reason.  Likely as not, this individual
would not even start with a fully connected port scan but would do a FIN
scan or other stealth scan.

        Netfilter is going to help with stealth scans on the Linux platforms
where we can use it to block FIN scans and fragment scans and other steath
scans against TCP.  Ipfilter can do the same thing on the *BSD varients.
These should be deployed at the host and at the network level to
interfere with these scans, but that's a totally separate issue from
portsentry.

>  So we have detected a STUPID portscan and only a wannabe does this.
>  Evidently a wannabe doesn't protect his own system too much and he won't
>  detect that the attacked system is getting information about him.

        That is really dumb, you know that.  Pure conjecture and supposition
that "only a wannabe does this" (not true) and where did you get this
"Evidently a wannabe doesn't protect his own system too much"?  What
evidence to back the "evidently"?  I don't see it.  Even the lamers load
up the evil ident servers and the fake finger servers.  They want to know
when they've struck a nerve.  That's one of their common detection methods!

        Besides which, if they really are lamers who don't know how to
secure their own systems or don't think far enough ahead to load up the
false response servers, just blow them off and ignore them.  They're
no threat to you or your systems if you are already up to running
portsentry.  If they are sophisticated attackers and intruders then I
can virtually guarentee that the information you get back from your probes
is going to be false, or worse.  So you are left with either useless (lamer)
information or false (dangerous intruder) information.  Either way, you
lose, so why bother with it?

>  I don't really think that a hacker would do this, a real hacker will make a
>  good portscan (undetectable) and he will detect that his machine is being
>  asked about him. Once he's found our interesting system the detail of a
>  netbios check... do you really think that he wasn't already interested?

        Right...  Well now you just supported my primary arguements.
By not probing back, you're going to weed out the broad sweeps from
the thousands of wannabes out there.  You're right, that's not going
to stop the determined intruder, but that's not what it's for anyways.
That's what the second layer of detection and defense is for.  That's
why you should have intrusion detection systems behind portsentry.

        Someone trying some sophisticated attack is then going to trip
your IDS.  If your IDS goes off, you know it's not because of some
lammer running a wide sweep for sub7 or something.  I've got things
like secure logging servers and dedicated steath IDS boxes waiting for
the FIN scans and the Christmas scans and for the directed attacks.

        BTW...  I have reports right now indicating that wide sweeps for
sub7 (a Windows trojan and remote control cybertoxin) are now the number
one port probes taking place on broadband networks such as cable modems.
Up until recently, it was wide sweeps for imap, looking for the old
RedHat 5.1 vintage imap service with the remote root hole.

        The other day, someone made a suggestion that I'm just
investigating.  That was to set up a stealth system (system with no
IP address) which sits on a common segment of the network sniffing.
But it wasn't sniffing for intrusions, it was sniffing for syslog
traffic.  The syslog traffic is directed at a different dedicated
logging server but also picked up by this one.  Now, an intruder breaking
into one system will discover the logs are stored and processed on another
server, which he may attack.  He doesn't know about and can't access the
third, stealth, server which has picked up and stored the logs or about the
IDS which just set off alarms due to unexpected traffic against the exposed
logging server.  The exposed logging server may be a total fake anyways,
left with temping holes and deceiving services just to attract attack
to give the IDS fuel to trigger on.  Not a honey pot, necessarily, but
a sacrifical server which nothing else trusts.  This is the mesh that waits
for the high skills attacker.  Portsentry is just the front door filter
weeding out the riff raff and eliminating a lot of noise and false alarms.

        In my security tutorials, I'm always preaching defense in depth.
You need multiple layers of defense.  That way an intruder must be perfect
in his efforts to break into your network in slipping past authentication
and access controls while avoiding alarms, tricks, and traps.  One mistake
and the trap shuts on him and alerts you.

>  Once a real hacker spots our system... better pray.

        No...  You don't pray, you be prepared.

        As Sun Tsu teaches in the Art of War...  "So the rule is not to
count on opponents not coming, but to rely on ways of dealing with them;
not to count on opponents not attacking, but rely on what cannot be attack."

        You don't rely on portsentry as your only defense, it is only one
of your defenses.  You don't rely on the smart cracker not attacking and
slipping through your only defense.  You need to be prepared for him on
the other side, knowing that it isn't some riff raff rattling door knobs.

>  And if he attacks form an university is because he has gained a shell there,
>  so the system isn't really well configured (ok, we could talk for months
>  about the stupid passwords of the users and such things) as to detect a
>  netbios check and those checks.

>  Lets imagine that I'm getting curious checks on my system and I imagine that
>  they come from the same person, not very intelligent I wish, and I want to
>  get more information about him to know if he's the same person or not, to
>  start tracing his attempts, or do I have to wait until my system has been
>  compromised?

        Hmmm...  There's that word "imagine" again.  Reality, remember...
You want to get more information about him so you resort to probing him
back and relying on information which he controls?  I don't think so.
You can't even tell if the information is valid or not and can't tell
if it's set off any detectors on his side or not?  Are you sure this
is what you want to do?

>  If I wasn't a security paranoid I wouldn't have installed Portsentry.

        You're not nearly paranoid enough, if you think that responding
to a port scan with a counter probe is a reasonable action.

>  You say that somebody can use my checks to make me a DoS... and? Nowadays
>  any script kiddie can perform a distributed DoS even if my server has a web
>  about religious cultures a radical can attack it, or if I have a gay web an
>  heterosexual can attack it too.

>  I'm looking for solutions, not words. "The best defense is an attack", well
>  I don't want to attack but to know who will I fight against if he reachs my
>  system.

        No...  Sun Tsu also teaches that to win by not attacking is best.
Attacking and fighting chews up and wastes your resources, your "fullness".
To win by not fighting is good.  The expression "The best defense is an
attack" is foolish when a fight could have been avoided entirely.  "The
best defense is a good offense" (the correct expression) is only true
when a battle is inevitable.  The first defense must be to avoid conflict
or win the conflict before the battle.

        You won't find solutions in reaction systems.  The intruders
know how to deal with them.  This is reality.  They have those tools now.
Counter probes have been around for years and the flaws in the concept
are well known.  Hostile servers and fake services are their stock and
trade.  If you rely on information you get from probing an intruders
system, you are just going to get lied to all the while he is checking
out who just jumped when he poked them.

        The real danger is that you can't tell when you are being lied to
or when you have anything useful.  If you can't tell when the data back
from the probes has been falsified, how can you do anything with the
data that hasn't.

        Remember too...  Think automation, not PFY.  They can automate
alarms that tell them when a system probes them back.  Then they know
they have found something interesting.  You are raising a loud gong
proclaiming "here I am" to the throngs of port scanners.  You really
don't want to attract that kind of attention.

>  Or is it better just to sit down, do nothing and just wait until some user
>  tells me that our web doesn't work?

        I would never preach that.  Were you listening?

        [...]

>  > Morals of this story:

>  > Don't tip him off that you've spotting him.

>  > Don't inform him that you have sophisticated detectors.

>  > Don't rely on information that he controls.

>  > Don't open yourself up to other indeterminant exploits and attacks.

>  > Don't open yourself up to being abused to attack others.

>  > Don't open yourself up to legal liabilities.

>  > Don't open yourself up to potential denial of service attacks,
>  > self-inflicted or otherwise.

>  > Whatever you think you might gain by doing this, is not worth
>  > the risk.

        Add this...  Contemplate Sun Tsu and the Art of War...

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
---------------------------------------

Best,
GFK's
--
http://logidac.com
Guillaume Filion (GFK's)
Logidac Technologies, Québec, Canada