[plug] Active response IDSs?

Grahame Bowland grahame at azale.net
Sat Aug 3 20:10:23 WST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 3 Aug 2002 11:01 am, bob wrote:
> On Sat, 2002-08-03 at 02:10, Craig Ringer wrote:
> > bob wrote:
> > >Anyone have anything they care to share regarding active response IDSs?
> > >I seem to be being hammered a bit at the moment and was wondering if
> > >there was anything decent in the way of IDS responses.
> >
> > Portsentry is the only one I've personally tried, but I ended up
> > ditching it in favour of a passive setup of paranoid iptables blocks and
> > logging. I was running it on a firewall, though, where its usefulness is
> > questionable (if you're running no services and dropping all unrequested
> > packets from the outside world, what good does an active response IDS do
> > you?) Perhaps there's something I'm missing, but portsentry wouldn't
> > even get the packets on a firewall configured to drop external incoming
> > traffic not associated with an (internally initiated) connection, would
> > it?
>
> Ok, this is probably just me being paranoid but if "they" are sniffing
> around on random ports I figure they're looking for 'sploits. What I was
> hoping to find was something like... IP# sniffs at blocked port# that is
> a known hole, IDS takes note of that being logged and adds iptables rule
> that drops IP# period. That way they don't get to try stuff on ports
> that are open... though thinking about it if an evil h4><3r has a brand
> new 'sploit for say apache they're going to go straight for the kill and
> not poot around poking ports :( so they skirt the whole drop IP# thing.
>
> Speaking of "they" I'm about ready to drop all of ifrance.com just on
> principle.

If you go from a TCP SYN packet and an IP address associated with it to a 
iptables rule you allow anyone to denial of service your system (or selected 
users of it.) The IP address associated with the SYN can be trivially 
spoofed. They could even spoof the IP address of your external gateway and 
have you cut yourself off.

The only sane way would be to have a setup where connection to any port 
results in an ACK, and then filter them when they send a SYN,ACK back. At 
that point you know that two-way communication is possible, so they're not 
spoofing the connection (assuming your ISN is sufficiently random, etc.)

However, keeping state for every connection to any port on your system is 
probably worse than just setting up sensible filter rules and letting them 
scan you.

- -- 
Grahame Bowland - <grahame at azale.net>
'All programmers are playwrights and all computers are lousy actors'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9S8gzN7eIygKWKbARAuWlAJ9ZB96ZmuRM4CvZ0b3en/X14+Zb2wCff19z
mG8NKClrwNwy8jRdtb1fZfs=
=Vfz+
-----END PGP SIGNATURE-----

More information about the plug mailing list