[plug] Monday meeting summary, Channel 7 tour offer
Christian
christian at amnet.net.au
Tue May 23 12:51:06 WST 2000
On Tue, May 23, 2000 at 12:13:06PM +0800, Leon Brooks wrote:
> Christian wrote:
> > scripts
> > which "intelligently" react to block probes etc. are generally a bad
> > idea and typically open a bigger vulnerability than they close.
>
> A lot depends on how they react. Temporarily adding an IPChains entry,
> and extending that to cover a subnet if necessary, limit of 20 per
> customer, hardly seems like a "vulnerability". I already block martians,
> unused/potentially-insecure services and do egress filtering, so I can't
> see how more blocking could increase my risk.
If you want to block outside access to a service then block it all the
time -- not just when you detect a probe. If you block based on IP when
you detect a probe then consider how trivial it would be to deny you
service. Let's say you configure your border router to block any IP
that connects to, say, more than 5 different non-active ports on
machines inside your network. The block only lasts for, say, 5 minutes.
My response is to set up a small program running as a cron job every 3
minutes which sends 5 SYN packets to known blocked ports on machines
inside your network. However, the program spoofs the source address to
be the PLUG mailing lists mail server. The result? You cannot post
anything to this list and I expend very little bandwidth. It's starting
to sound like a good idea, isn't it?
More information about the plug
mailing list