Re: (no subject)

From: FBSDSecure@aol.com
Date: 01/30/01 

From: FBSDSecure@aol.com
Date: Tue, 30 Jan 2001 02:54:10 EST
To: freebsd-security@freebsd.org

In a message dated 1/28/01 2:29:59 AM Pacific Standard Time,
kris@obsecurity.org writes:

> > addresses are valid and which are not. So spoofing an IP address is
pretty
>
> > close to impossible from a Dialup, xDSL, or cable modem. Another thing
to
>
>
> Wrong. If this were true, packet-flooding based denial of service
> attacks would be almost impossible since they would be easily blocked
> and traced. The sad fact of the matter is that the majority of
> networks on the internet today, including ISPs do not implement egress
> filtering.
>
> > point out though is if a hacker were to spoof his IP address and do a
port
>
> > scan, what would be the point? The data is useless if it can't get back
> to
> > the individual. Besides, the portsentry package has a ignore file.
>
> You miss the point: the attacker won't get any information back out of
> it, but if you have a fascist response to port scans which blackholes
> all traffic coming from the IP address of the port scan, the attacker
> can spoof the packets to come from a server which is critical to the
> operation of your machine, such as your ISP's DNS servers, or mail
> servers, which will cause your machine to blackhole them and thereby
> shoot itself in the foot. At a lower level of annoyance, you can
> blackhole popular websites like google which the user might use.
>
> The point is that automated active response is almost always a bad
> idea, because it can be fooled into doing more harm than good.
>
> Kris
>
>

Then why doesn't the ISPs use egress filtering? To me it would stop alot of
the junk that is going on in the internet. Like I said, all critical IPs are
placed in the ignore file. The DNS and email servers I did not consider, but
they will be added. Thanks for the tip.

Dan.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: (no subject)
    ... > point out though is if a hacker were to spoof his IP address and do a port ... all traffic coming from the IP address of the port scan, the attacker ... servers, which will cause your machine to blackhole them and thereby ... blackhole popular websites like google which the user might use. ...
    (FreeBSD-Security)
  • RE: Is MS06-018 a DoS or a system compromise ?
    ... There were servers which had port 3372 accessible ... (a firewall rule misconfiguration was making TCP ports ... hack the server on this port, but I think DTC was the culprit. ... "An attacker could cause the Microsoft Distributed ...
    (Bugtraq)
  • Re: Apache FreeBSD exploit released
    ... >> The only way to trace the attacker i have found so far is to do a netstat ... >> port. ... >> Anyone know of any ports or tools i could use on my servers to watch out ... > and log chunked requests. ...
    (FreeBSD-Security)
  • Re: [opensuse] Remote upgrade problem
    ... All my remote sites have serial console servers connected. ... CCM840 8 port, dedicated local console ...
    (SuSE)
  • Re: Blocking attacks from spoofed IP addresses
    ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
    (comp.os.linux.networking)