thomas lakofski <[EMAIL PROTECTED]> writes:
> On 29 Jan 2001, Rainer Weikusat wrote:
> > Random garbage traveling across the 'net is exactly this: Random
> > garbage.
>
> ok, and?
Why bother?
> > If I suffer from dynamic IP allocations, you would be blocking
> > hundreds of IPs within a comparatively short amount of time
[...]
> I think the machine can manage to handle executing a command every three
> seconds.
Probably. But checking every incoming packet against some hundred
bogus filtering rules will degrade network performance, possibly in a
way that might get noticed.
> > Why do you worry about holes in programs you don't even run?
>
> I'm not worried about holes in programs I don't even run. I'm interested in
> detecting, and taking action against, actions which appear to be
> suspicious.
Like prohpylacticyally lynching certain 32-bit-numbers?
> > If I know what's happening on the box, I don't need a tool like this,
> > as I don't run any services except those I intend to, with the latter
> > ones being reasonably configured.
>
> I still want to detect behaviour indicative of an attack
You *cannot*. You can recognize an attack that's happening, not a
possibly happening attack. For instance, shortly after w2k hit the
'net, machines from all over the world startet flooding us with
packets to port 28800, which, due to a dialup-link, became quite
expensive to us. Nethertheless, this probably wasn't an attack, but a
simple configuration problem (and I don't even know if it was
Windows-related. It just happened around the same time).
> and take action.
Your TCP/IP-stack would take that action ("dumping of garbage
packets") automatically.
> > > I have a default-deny firewall with portsentry.
> >
> > Consider a default-REJECT firewall. This is a lot nicer to others.
>
> Until someone uses it as a mirror for a denial of service attack.
Or a certain person comes accross a certain RFC, wherein 'they talk'
of ICMP rate limiting.
> Legitimate traffic will never have any problems.
Legitmate traffic will have problems, given the situation outlined in
my previous post.
<mode=flame>
Was that too complicated for you or are have you simply been
lobotomized in the past?
</>
> > They will, as demonstrated above.
>
> Unlikely; at least, it hasn't happened in the last 3 or so years.
There's no way for you to tell.
--
SIGSTOP
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]