The problems with such approach are:
- you are doing some work as a conseuqence of an attack. So, you're
consuming CPU,
network resucres, ... just because an attacker did something. This may be
considered as
a form of "loosing the war against attackers". Indeed, this is a "volontary
DoS".
- when redirecting to some other service, it should be made sure that the
latter cannot
be cracked. but "sure" is not in security dictionaries.
- doing that, you are accepting (in some form) to "play" with the attacker.
and this is in his advantage: he got enough time to loose.
- blocking the port and ignoring the attacker is a sufficient approach. when
he gets convinced that
you are well protected, he will try to find another target. In contrast, if
you do something "unusual"
(such as the redirection you're talking about, he gets excited on how to
"win" this war (you defied him).
- the redirection you're talking about would be helpful if there was a way
to trace the attacker. however,
and IP scurity is much about this, nothing guarantees nothing. the truth is
nowhere...
You should remember that the attacker has the advantage (this is true in
other situations, such as in chess,
...), and that good defense goes with the economical principle of "least
effort" until the other gets tired.
regards,
mouss
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> Sent: Wednesday, May 10, 2000 5:46 PM
> To: Eddy Kalem
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: FW: Redirecting closed port connections
>
>
> Eddy,
>
> Rather than redirect to a reporting agency, there is an
> inexpensive solution
> out there (approx. 3K+) that will do just what you ask. ManTrap
> ( by recourse
> technologies) works with your existing firewall and any violations to your
> security policy that you wish to be investigated will be redirected to a
> prototype environment (hopefully one that mimics your real site - only
> difference is the infrastructure behind the site is a dynamic
> model to appease
> the hacker). Meanwhile, every key stroke he makes and the source of his
> origin is being recorded and derived respectively.
>
> Just a thought...
>
> Eddy Kalem wrote:
>
> > Does anyone know if there's a host or an organization I can redirect
> > non-permitted port connections to. For example, say someone's trying to
> > exploit port 1080 at my firewall--which I'm currently blocking at my
> > firewall--and lets say instead of blocking the address, I redirect it,
> > keeping the originating IP address, to the G men's web server
> or some other
> > organization that logs this type of activity. Is there such a site?
> >
> > Eddy Kalem
> > Phyve, formerly Digital Medical Systems
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
