-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've really got to interrupt on this argument.
There are an infinite number of ways to protect your systems, servers,
and networks. No one is better than another, overall. Sure, in
specific instances, a retaliation is much better than passiveness (i.e.
an active BIND NXT-exploit attempt, as it would be incredibly difficult
to spoof the source). But it others, passiveness is much better than
retaliation (i.e. port scans). But there are variuos levels of
passiveness. Personally, I just block all port scans (this only works
from Linux), using the secure TCP stack patch, from
http://www.innu.org/~sean. It's wonderful. And Synlogger, so I hear,
does an excellent job of blocking SYN port scans.
Personally, I find the best way to ward off attackers is to open
everything up. The general first stance (especially from script
kiddies) is to do a port scan. Now, if the scan pulls up nothing, but
you know the machine is there, it's like a challenge. If the scan pulls
up a DoS on you, you're gonna get pissed off. But if the scan pulls up
all 65535 ports open (this is a trick I've learned - it actually
confuses Nmap so that the _real_ open ports are lost somewhere in the
scan), the kiddie's probably going to back off, being incredibly
confused. Or, they might try some common ones (like NetBus,
BackOrifice, etc), and finding that nothing happens, leave.
But I'm not saying that this is the best for everyone. In my situation,
it works for me. In yours, it might not. Ghandi used passive
resistance. It worked quite well. So why won't it work for computers?
Then again, passive resistance would have failed miserably in either
World War. There's a flip side to everything.
Just my two cents.
Damian Gerow
Intellitactics, Inc.
> -----Original Message-----
> From: mouss [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 11, 2000 7:12 PM
> To: [EMAIL PROTECTED]; Eddy Kalem
> Cc: [EMAIL PROTECTED]
> Subject: RE: FW: Redirecting closed port connections
>
>
> The problems with such approach are:
>
> - you are doing some work as a conseuqence of an attack. So, you're
> consuming CPU,
> network resucres, ... just because an attacker did something.
> This may be
> considered as
> a form of "loosing the war against attackers". Indeed, this
> is a "volontary
> DoS".
>
> - when redirecting to some other service, it should be made
> sure that the
> latter cannot
> be cracked. but "sure" is not in security dictionaries.
>
> - doing that, you are accepting (in some form) to "play" with
> the attacker.
> and this is in his advantage: he got enough time to loose.
>
> - blocking the port and ignoring the attacker is a sufficient
> approach. when
> he gets convinced that
> you are well protected, he will try to find another target.
> In contrast, if
> you do something "unusual"
> (such as the redirection you're talking about, he gets
> excited on how to
> "win" this war (you defied him).
>
> - the redirection you're talking about would be helpful if
> there was a way
> to trace the attacker. however,
> and IP scurity is much about this, nothing guarantees
> nothing. the truth is
> nowhere...
>
> You should remember that the attacker has the advantage (this
> is true in
> other situations, such as in chess,
> ...), and that good defense goes with the economical
> principle of "least
> effort" until the other gets tired.
>
>
> regards,
> mouss
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> > Sent: Wednesday, May 10, 2000 5:46 PM
> > To: Eddy Kalem
> > Cc: '[EMAIL PROTECTED]'
> > Subject: Re: FW: Redirecting closed port connections
> >
> >
> > Eddy,
> >
> > Rather than redirect to a reporting agency, there is an
> > inexpensive solution
> > out there (approx. 3K+) that will do just what you ask. ManTrap
> > ( by recourse
> > technologies) works with your existing firewall and any
> violations to your
> > security policy that you wish to be investigated will be
> redirected to a
> > prototype environment (hopefully one that mimics your real
> site - only
> > difference is the infrastructure behind the site is a dynamic
> > model to appease
> > the hacker). Meanwhile, every key stroke he makes and the
> source of his
> > origin is being recorded and derived respectively.
> >
> > Just a thought...
> >
> > Eddy Kalem wrote:
> >
> > > Does anyone know if there's a host or an organization I
> can redirect
> > > non-permitted port connections to. For example, say
> someone's trying to
> > > exploit port 1080 at my firewall--which I'm currently
> blocking at my
> > > firewall--and lets say instead of blocking the address, I
> redirect it,
> > > keeping the originating IP address, to the G men's web server
> > or some other
> > > organization that logs this type of activity. Is there
> such a site?
> > >
> > > Eddy Kalem
> > > Phyve, formerly Digital Medical Systems
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBORwsdPWPEBDMsfC4EQItUwCg99Uu9Nc9NK76hZJUFOWlnP13RggAoM4j
MgeQYnD5f5PEZylmmEvFaUIS
=2E2B
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
