On Wed, Dec 08, 1999 at 02:28:24PM -0600, Alan Mead wrote:
> At 09:33 AM 12/8/99 -0500, Michael H. Warfield wrote:
> > Be very VERY careful with udp mode. If someone figures out that
> >you are doing that, they can spoof in carefully crafted UDP scans (src
> >address on UDP can be faked and spoofed) as if they were coming from
> >something like all the root name servers, and you are then toast.
> Couldn't you solve this by dropping your name servers into sentry's ignore
> file?
I assume that you mean the root name servers. The attack would
cut my name servers, and everything else behind my firewall, from reaching
the top of the DNS tree.
But that's beside the point. The DNS example was just that,
an example.
s/DNS/your favorite service/g
The point is that you would open yourself up to denial of service
attacks and do you really know all of the services you require access
in advance that an attacker could annoy you with? You would have to
add all of those servers to the ignore file and hope you got them all.
In my case, that could be a LARGE file.
What if he knew you were a linux fan and spoofed attacks from
vger.rutgers.edu just to cut you off from your Linux fix. Would you have
thought to add all of your favorite mailing lists to your ignore file?
Doesn't cut you off from the net but it will annoy the hell out of you
until you figure out why things suddenly got quiet. Be one heck of a
way to get back at someone who annoyed you in a conversation on a
mailing list. People have been threatened with (and been hit with)
mail bombing and list subscribe attacks. This would be even easier
to pull off.
And to answer the next obvious question, yes I do believe (and
have seen examples) there are people out there who would pull gags like
that just for fun. I know guys who spent days trying to pull similar
tricks on me when they found out I had PortSentry running on my firewall.
You better believe that UDP spoofing was the FIRST thing they thought of
and tried. You can not, and must not, depend on the "secrecy" of someone
not knowing what you are running to prevent them from exploiting denial
of service attacks against you.
Just the fact that others and myself have mentioned using
PortSentry makes it a sure bet that plenty of practical jokers know
what we have running.
> ---
> Alan D. Mead / Research Scientist / [EMAIL PROTECTED]
> Institute for Personality and Ability Testing
> 1801 Woodfield Dr / Savoy IL 61874 USA
> 217-352-4739 (v) / 217-352-9674 (f)
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
