OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: False Sense of Security?
From: Bennett Todd (betRAHUL.NET)
Date: Thu Nov 16 2000 - 17:07:37 CST

> You can have _your systems_ react to it.

Automatic response, often discussed, sometimes implemented.

> Any source that tries [ a portscan ] will trigger an event that
> automatically reconfigures the firewall so that the source is
> completely blocked for a specified time.

_Cool_! So if someone wants to take you completely off the air for a
"specified time", all they have to do is send you something like
13,000 packets (if your IDS trips on 1000 sequential probes as a
"portscan") 1,000 each from the (forged) src addrs of the 13 root
nameservers. That's _fun_![1]

Or they could be finer-grained with their forged src addrs, send
1000 (or however many it takes to trip the alarm) and
simply conceal one specific host from you. Perhaps the
primary nameserver of a domain whose secondary they've burgled, and
who they want to impersonate for purposes of taking advantage of
some trust relationship you have with the organization in question.

Or maybe they just want to block your IDS's access to your pager
company's server.

Automatic response to detected attacks is very, very tricky to make
safe. It's taking an automatic action based on data which is
potentially completely controlled by an attacker.

Think back to the discussions when people talked about doing various
back-probes from scripts called out of tcp-wrappers, back in the
early '90s or thereabouts, and the many different problems that
arose in that setting. People weren't so active with forged src
addrs then as they are now; active response has gotten more
dangerous, not less.

-Bennett

[1] "_fun_", at least, for a certain species of idiot that's all too
    common on the internet these days.

  • application/pgp-signature attachment: stored