OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: False Sense of Security?
From: Michael Young (mikeUTOPIA2.COM)
Date: Fri Nov 17 2000 - 00:03:35 CST

With most "route reject" packages, you are able to put in an IP exclusion
list, so that your default gateway (and mail, DNS, etc) is never blocked,
even if it is spoofed. Of course, that implies that you have hardened your
gateway and other boxes so they can't REALLY be used as a source of attack.

Mike

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Frank Knobbe
Sent: Thursday, November 16, 2000 8:09 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: False Sense of Security?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Dragos Ruiu [mailto:drkyx.net]
> Sent: Thursday, November 16, 2000 6:36 PM
>
> And if I spoof an attack as coming from your default gateway?

Nah, my default gateway doesn't send me stuff, and I don't send data
to it. I get your point though.

> Autoresponse/autoblock functions should be considered
> "inherently dangerous,"

So is being connected to the Internet... :)

> imho. It's like wiring up a shotgun to your unattended
> burglar alarm. (Ok, I
> conceed exaggeration here. ;-) The flexresp feature of snort is
> one I lament and think ought to have "sutable only for mature
> viewers" warnings... :-)

I agree, and in the discussion I had offline it was assumed that I
actively send an TCP reset. That's not what happens. I agree that
this setup is dangerous and not suited for everyone. Here is my take:

My firewall drops all packets. It does not send any ICMP port
unreachables or the like. 1020 ports are silent (dropped), 4 are open
with services behind them. If a connection attempt to a filtered port
(i.e. 111) occurs, the firewall will close up and drop every packet
coming from that source.

That means, if someone starts to poke around, chances are good that
the firewall is reconfigured before he hits an open port. In that
case it just silently drops everything, just like I where offline.
This does not cause any suspicion.

If someone connect to port 25 first, realizes it is open, checks port
111 and maybe a few others, and comes back to port 25, it will be
closed, just like I pulled the plug. That is the only time someone
would notice a change in behavior.

I agree that if the firewall (or even snort itself) would sent a
reset, someone might find that amusing and starts to bombard the
firewall with spoofed IP addresses. But that is not what is
happening, the firewall just falls silent (link down? Modem
disconnected? Oh well...)

No one would suspect such a system being in place (unless someone
posts to a mail lists and publicly announces it... *cough*).

The risks, I believe are minimal, and the setup provides good
protection. Script-kiddies simply move on. If I had someone more
serious trying to get into my system, maybe a corporate spy, he would
be more careful. As soon as he recognizes an active change in
behavior of the FW and finds himself filtered, he will most likely be
quite for a while figuring that I detected and countered his
activities.

If someone does realize that here is opportunity for a DoS, then I
can always pull the manual override level and leave the system
deactivated for a while. If someone has enough ambition to launch a
DoS, than I need to coordinate with ISP's and law enforcement anyway.

What this setup buys me is protection from those annoying ankle
biters that like to poke around. Services that are open (i.e. web,
SMTP) will fall silent, at least for them, so they can't run their
scripts.

I know that this system should not be left unattended, but then
again, you shouldn't leave your firewall unattended either.

Thank you for your concerns, though. I think I'll add a DoS detection
into my script so that this mechanism get temporarily deactivated if
a threshold of filtered IP's is exceeded.

> What's your IP address again? ... ;-)

:)

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOhSTK0RKym0LjhFcEQKKtACg3PB1e2vkEHw/mI03nBFzcSbzjM0AoPnQ
nUTdzHh5vUsjJkDxadoESst9
=YRMx
-----END PGP SIGNATURE-----