Vulnerability Development mailing list archives

Re: Automatic Retaliation contra DoS

From: Bug () WESTON CX (Weston Pawlowski)
Date: Wed, 17 May 2000 23:04:13 -0600


Whoa, calm down. I *never* said anything at all about doing anything to the
attacker other than blocking him. "Retaliation" doesn't always mean "attack", and
I didn't say anything that would even slightly imply that it did. And, if you
would have actually read my post or the post that I was replying to, you would
realize that what I'm speaking of is retaliating by cutting off the attacker's
access to your system. What I was talking about is strictly defensive, no "federal
crimes" are commited. Recommending the use of an attack is just as stupid as
flaming about a post that you haven't even completely read.

-Weston

"Michael H. Warfield" wrote:

On Wed, May 17, 2000 at 08:52:13PM -0000, Weston Pawlowski wrote:

Automatic retaliation is usually a bit dangerous, but it can
still be a good thing, you just have to be careful...


        No...  It can not be a good thing because you can not be
careful enough not to have it turned against you.

It can be used as a DoS against you... Let's say that you
have portsentry setup to detect stealth TCP and UDP
scans/floods, and it filters out all packets from the
"attacker" via ipchains. Well, guess what... Someone could
just type something like "nmap -sS -S 64.28.67.48 -e eth0
yourserver.net" and cause portsentry to think "64.28.67.48"
(slashdot.org) is scanning you, so it'll filter it out, and
now you can't read slashdot.org until you remove the entry
in ipchains! It's incredibly easy to spoof an IP on a SYN
scan, so don't retailiate when you detect one.


        How about this...  How about if I set up a web page with
lots of pretty girls with no clothes on and lots of hidden image src
URL's that poke at your retaliating box.  Make it look like a full
fledged, fully connected, port scan or maybe an intrusion attempt
(go for some trojan ports).  Then I add some really enticing meta-tags
and leave a link around that the search engines are sure to hit.
Then just wait for the chumps to come hit it.  You take them out
in wind-rows and their admins want to know why you are commiting a
federal crime by executing attacks against their systems.  Want that
legal liability?  Want to explain that to your lawyers?

So, you should only retaliate when you are pretty sure that
the IP is real (ie a full connection). I have my server
setup to only notify me of stealth mode scans (such as a SYN
scan), and I have simple little programs, which I call port
mines, listening on various unusual port numbers for full
connections. When a connection is made to one of my port
mines, it notifies me and filters out the attacker via
ipchains. My setup will retaliate against non-stealth port
scans (used by most script kiddies and Windows users), and
notify me about anything else.


        If I know what your IP address is, you could be in a lot of
trouble...

        SecureITeam posted a message on their web site that I had
written about this on the Abacus mailing list.  You can find it here.

http://www.securiteam.com/securitynews/The_risks_of_counter-attack_tactics.html

        To summarize, even to do queries back to the "probing" system
is likely to bring you unwanted attention and likely to be used
against you.  You've really got nothing to gain and you are risking
an awful lot (especially in terms of legal liability if this thing
backfires on you - and it will).

Completely filtering a suspected attacker out might be a bit
harsh for a more public server, so I'd aggree that lowering
the priority would be a great alternative. Does anyone know
how feasible and how effective that would be?

As long as we're on the subject, does anyone know why
someone might want to poke at UDP ports 22 and 5632. I was
just notified by portsentry that someone's messing with
those ports, again. I saw exactly the same thing, three
times before. The last two times it was from the same IP as
the current attack, but the very first time it was from a
different IP, but on the same ISP. And all four times, I was
using a different IP. Any theories???

-Weston Pawlowski
Bug () Weston cx
The Mace Project: http://www.MaceHQ.cx


--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Current thread:

Re: DoS Local machines, (continued)
- - - Re: DoS Local machines Jason (May 10)
    - Re: DoS Local machines Barclay Osborn (May 11)
  - Re: Networking theories Helmethead (May 07)
  - Re: Networking theories Dragos Ruiu (May 07)
  - Re: Networking theories Blue Boar (May 07)
- Re: Networking theories Matthew King (May 08)
  - Re: Networking theories Dug Song (May 08)
  - Automatic Retaliation contra DoS sigipp () WELLA COM BR (May 09)
    - Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
    - Re: Automatic Retaliation contra DoS Michael H. Warfield (May 17)
    - Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
    - Re: Automatic Retaliation contra DoS Michael H. Warfield (May 18)
    - Re: Automatic Retaliation contra DoS Ryan Sweat (May 17)
    - Re: Automatic Retaliation contra DoS Max Vision (May 17)
  - Re: Networking theories Pavel Kankovsky (May 09)