OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: False Sense of Security?
From: Krassimir Tzvetanov (krassiBOL.BG)
Date: Sat Nov 18 2000 - 03:42:43 CST

Bennett Todd wrote:

> > You can have _your systems_ react to it.
>
> Automatic response, often discussed, sometimes implemented.
>
> > Any source that tries [ a portscan ] will trigger an event that
> > automatically reconfigures the firewall so that the source is
> > completely blocked for a specified time.
>
> _Cool_! So if someone wants to take you completely off the air for a
> "specified time", all they have to do is send you something like
> 13,000 packets (if your IDS trips on 1000 sequential probes as a
> "portscan") 1,000 each from the (forged) src addrs of the 13 root
> nameservers. That's _fun_![1]

It's not a problem. At least this case. You can implement Reflexive
Accesslists (if you have a Csico router) and block the violating traffic with
any other kind of list (ex. extended) on your incomming interface. If your
nameserver needs to talk to some of the root name servers a temporary permit
entry (from the reflexive list (based on source and dest port)) will be put
INFRONT OF the ext acl so even if you have blocked the IP of this name server
(thinking it's attacking you) you'll be able to get your response back. I
just want to remind that reflexive lists are working with UDP as well as with
TCP.

Also about having a lot a problems set. I'll use one more Cisco idea. When
they have a SYN flood (one of the policiest of TCP intercept) is to decrease
the time out after a SYN has been sent if there are to many connecting in
this state. So you can decreas the time of lock out when there are too many
lockouts.

Being locked out is not so big problem especially if you're not providing a
service. So in my oppinion it's OK to use ip lockouts based on rules
violatins.

                                            Krassi