[plug] Active response IDSs?

bob bob at fots.org.au
Sat Aug 3 20:50:26 WST 2002 

On Sat, 2002-08-03 at 20:10, Grahame Bowland wrote:
> 
> If you go from a TCP SYN packet and an IP address associated with it to a 
> iptables rule you allow anyone to denial of service your system (or selected 
> users of it.) The IP address associated with the SYN can be trivially 
> spoofed. They could even spoof the IP address of your external gateway and 
> have you cut yourself off.

Perhaps a list of "friendly IPs" ? That of course means that spoofed IPs
will be able to get away with a lot more (but if you log without taking
action...) mind you the h4><0r has to guess what those IPs are or that
you even have such a system in place. 
 
> The only sane way would be to have a setup where connection to any port 
> results in an ACK, and then filter them when they send a SYN,ACK back. At 
> that point you know that two-way communication is possible, so they're not 
> spoofing the connection (assuming your ISN is sufficiently random, etc.)

I'd rather just DROP and be invisible on ports I'm not wanting to share.
Fwlogwatch seems very nice. Lots of neat tricks, like being able to do a
whois  and sending email to the IPs owners regarding the attack
automaticaly. Very configurable and open ended as to actions it takes.
Thanks Ryan for pointing it out to me :).
 
> However, keeping state for every connection to any port on your system is 
> probably worse than just setting up sensible filter rules and letting them 
> scan you.

True.

Mind you there's active and there's ACTIVE :). I read somewhere or other
about a project to find out what the real distribution of OSs was online
where they sent various packets to machines to try and figure out what
the OS was, some of the responses were a bit on the active side... one
of the systems owned the box in something like less than a minute from
starting the probe. Obviously fully automatic and hair triggered :).

I'm quite sure such a response would be frowned on by the law so I'm not
even going to contemplate it.

> - -- 
> Grahame Bowland - <grahame at azale.net>

-- 
bob
Cave canem...te necet lingendo.

More information about the plug mailing list