Re: (no subject)

From: Kris Kennaway (kris@obsecurity.org)
Date: 01/28/01

• Next message: Chris: "Re: (no subject)"
• Previous message: FBSDSecure@aol.com: "Re: (no subject)"
• In reply to: FBSDSecure@aol.com: "Re: (no subject)"
• Next in thread: Chris: "Re: (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 28 Jan 2001 02:30:05 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: FBSDSecure@aol.com

On Sun, Jan 28, 2001 at 05:21:19AM -0500, FBSDSecure@aol.com wrote:

> addresses are valid and which are not. So spoofing an IP address is pretty
> close to impossible from a Dialup, xDSL, or cable modem. Another thing to

Wrong. If this were true, packet-flooding based denial of service
attacks would be almost impossible since they would be easily blocked
and traced. The sad fact of the matter is that the majority of
networks on the internet today, including ISPs do not implement egress
filtering.

> point out though is if a hacker were to spoof his IP address and do a port
> scan, what would be the point? The data is useless if it can't get back to
> the individual. Besides, the portsentry package has a ignore file.

You miss the point: the attacker won't get any information back out of
it, but if you have a fascist response to port scans which blackholes
all traffic coming from the IP address of the port scan, the attacker
can spoof the packets to come from a server which is critical to the
operation of your machine, such as your ISP's DNS servers, or mail
servers, which will cause your machine to blackhole them and thereby
shoot itself in the foot. At a lower level of annoyance, you can
blackhole popular websites like google which the user might use.

The point is that automated active response is almost always a bad
idea, because it can be fooled into doing more harm than good.

Kris

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• application/pgp-signature attachment: stored

---

• Next message: Chris: "Re: (no subject)"
• Previous message: FBSDSecure@aol.com: "Re: (no subject)"
• In reply to: FBSDSecure@aol.com: "Re: (no subject)"
• Next in thread: Chris: "Re: (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: (no subject) ... but if you have a fascist response to port scans which blackholes ... > all traffic coming from the IP address of the port scan, the attacker ... > servers, which will cause your machine to blackhole them and thereby ... > blackhole popular websites like google which the user might use. ... (FreeBSD-Security) RE: Is MS06-018 a DoS or a system compromise ? ... There were servers which had port 3372 accessible ... (a firewall rule misconfiguration was making TCP ports ... hack the server on this port, but I think DTC was the culprit. ... "An attacker could cause the Microsoft Distributed ... (Bugtraq) Re: Apache FreeBSD exploit released ... >> The only way to trace the attacker i have found so far is to do a netstat ... >> port. ... >> Anyone know of any ports or tools i could use on my servers to watch out ... > and log chunked requests. ... (FreeBSD-Security) Re: [opensuse] Remote upgrade problem ... All my remote sites have serial console servers connected. ... CCM840 8 port, dedicated local console ... (SuSE) Re: Blocking attacks from spoofed IP addresses ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ... (comp.os.linux.networking)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-01