IMHO doing nothing to discourage hackers is more of a form of "loosing the war against attackers".
People will continue to do illegal things when they believe that it is unlikely that they will be caught or penalized for it. We as the security community need to take a proactive approach. If we all installed "Honey Pots" capable of gathering sufficient evidence to prosecute the people that broke into them, I bet a large number of "script kiddies" would soon find something productive to do with their computer skill.
I'm not interested in letting them hack away. I'm interesting in getting them (or their parents) to help pay for all the time and effort I put into fixing the problems they cause.
-- Bill Stackpole, CISSP
"mouss" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
05/12/2000 01:12 AM ZE2
To: <[EMAIL PROTECTED]>, "Eddy Kalem" <[EMAIL PROTECTED]>
cc: <[EMAIL PROTECTED]>
bcc:
Subject: RE: FW: Redirecting closed port connections
The problems with such approach are:
- you are doing some work as a conseuqence of an attack. So, you're
consuming CPU,
network resucres, ... just because an attacker did something. This may be
considered as
a form of "loosing the war against attackers". Indeed, this is a "volontary
DoS".
- when redirecting to some other service, it should be made sure that the
latter cannot
be cracked. but "sure" is not in security dictionaries.
- doing that, you are accepting (in some form) to "play" with the attacker.
and this is in his advantage: he got enough time to loose.
- blocking the port and ignoring the attacker is a sufficient approach. when
he gets convinced that
you are well protected, he will try to find another target. In contrast, if
you do something "unusual"
(such as the redirection you're talking about, he gets excited on how to
"win" this war (you defied him).
- the redirection you're talking about would be helpful if there was a way
to trace the attacker. however,
and IP scurity is much about this, nothing guarantees nothing. the truth is
nowhere...
You should remember that the attacker has the advantage (this is true in
other situations, such as in chess,
...), and that good defense goes with the economical principle of "least
effort" until the other gets tired.
regards,
mouss
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> Sent: Wednesday, May 10, 2000 5:46 PM
> To: Eddy Kalem
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: FW: Redirecting closed port connections
>
>
> Eddy,
>
> Rather than redirect to a reporting agency, there is an
> inexpensive solution
> out there (approx. 3K+) that will do just what you ask. ManTrap
> ( by recourse
> technologies) works with your existing firewall and any violations to your
> security policy that you wish to be investigated will be redirected to a
> prototype environment (hopefully one that mimics your real site - only
> difference is the infrastructure behind the site is a dynamic
> model to appease
> the hacker). Meanwhile, every key stroke he makes and the source of his
> origin is being recorded and derived respectively.
>
> Just a thought...
>
> Eddy Kalem wrote:
>
> > Does anyone know if there's a host or an organization I can redirect
> > non-permitted port connections to. For example, say someone's trying to
> > exploit port 1080 at my firewall--which I'm currently blocking at my
> > firewall--and lets say instead of blocking the address, I redirect it,
> > keeping the originating IP address, to the G men's web server
> or some other
> > organization that logs this type of activity. Is there such a site?
> >
> > Eddy Kalem
> > Phyve, formerly Digital Medical Systems
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
