Re: workstation attacks vs. server attacks
From: Walter Roberson (roberson@ibd.nrc.ca)Date: 01/22/02
- Next message: Walter Roberson: "Re: what if the message-ID generator generates a dirty word?"
- Previous message: Walter Roberson: "Re: Schneier: Trust, but verify, Microsoft's pledge"
- In reply to: Barry Margolin: "Re: workstation attacks vs. server attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: roberson@ibd.nrc.ca (Walter Roberson) Date: 22 Jan 2002 03:20:27 GMT
In article <sC_28.10$hI5.276522@burlma1-snr2>,
Barry Margolin <barmar@genuity.net> wrote:
:Also, although any desktop Unix system *could* be an SMTP server by running
:sendmail, most probably don't.
My educated guess would be that most probably *do*. Mail is used by
unix system daemons to communicate with the administrator (e.g.,
in case a cron job fails), so a mailer daemon would tend to be turned ON by
default on Unix systems.
:In order for someone to direct
:an attack, they have to know about the target machine. From this
:perspective, a "server" is most likely one that's identified as such in
:DNS: it's named www.<something>, it's the target of a domain's MX record,
:etc.
The usual these days is just to probe addresses at random, or probe
entire address spaces, and let the script figure out whether it's
talking to a vulnerable kind of system or not.
The proportion of attacks directed specifically at our DNS servers
is very small -- it takes too much thinking time to worry about
domains when IP addresses exist and are predictable (and it's the
DNS servers -not- mentioned in NS records that are most likely to
not be secured.)
We do, admittedly, see formmail.pl probes directed against our www
server specifically -- but those are probes from people who are
*already* engaged in email address harvesting, so for them to take
extra note of any www sites encountered is not much extra effort compared
to examining DNS entries.
:The difference between servers and workstations, as you can see,
:is based on the typical mix of software that they run, with a corresponding
:difference in the types of attacks that crackers try against them.
I can't say that I "see" that yet. The evidence that I can point to in
my logs is of broad probes for directed against whatever's out there,
typically looking for one vulnerability at a time. Relatively few of
those probes so far seem to try to identify the machine and run an
appropriate targetting script, but I think it likely that such probes
will increase.
:I don't have an answe, but I think this clarification may allow for more
:intelligent discussion of the real issue, rather than the tangent about
:whether this or that machine is a workstation or server.
Could we get a recap of what the "real issue" *is*, then? Because it
was phrased in terms of "workstation" and "server", so we can't answer
it until we understand what each of those are.
The question would be a lot easier to tackle if it were bluntly put
in terms of what portion of attacks are against Microsoft desktop
operating systems (95/98/ME/NT [34] desktop/W2K desktop/XP desktop)
as compared to Microsoft server OSs (NT [34] server, W2K server, XP
server) and as compared to other OSs (especially Unix servers).
On the other hand, I understand that NT, W2K, and XP desktops are
not very different from the corresponding server versions, so we
might well not be able to distinguish between attacks unless we
have a honeypot set up.
I could run some analyses on my firewall logs. If, that is,
someone cares to develop a firm metric as to how to count the
various nimda attacks...
- Next message: Walter Roberson: "Re: what if the message-ID generator generates a dirty word?"
- Previous message: Walter Roberson: "Re: Schneier: Trust, but verify, Microsoft's pledge"
- In reply to: Barry Margolin: "Re: workstation attacks vs. server attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
