OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: RES: DoS Attack - How do we have to react ?
From: sigippWELLA.COM.BR
Date: Wed Jun 28 2000 - 07:08:59 CDT

Hi,

> I like to *always* let a present for intruders in several unused tcp ports
> of my machine, because why would a curious person be connecting to a port
> like 31337 or 12345 of my machine since it runs linux or a *bsd-like? Just
> put a DoS services there as jolt2, then when the machine connects, p00f. The
> attacker is gone :) Good revenge huh? (also let ipchains logging which ports
> the attacker tries to connect, then you can have an idea of which ports
> putting the DoS).

O.k., i now have thought about it. Basically i still think the concept of having
some "trap" server running is a very nice idea. The legal aspects of a
counter-attack where already discussed here, and i agree. I think, there is a
technical problem too. If i know of such a machine, i could use it to attack
anyone by spoofing an attack to that machine. So here we have a real nasty
problem with it.

But such a trap server could be very useful. For example in optaining any
possible information about the attacker, alerting admin, creating an attacker
profile, and so on. May be too those ideas i already mentioned about fooling the
attacker, although this fits better in category "kidding" (although i do like
kidding sometimes, itīs fun).

Iīd try to use attack profiles generated by those trap servers to automatically
improve security settings. Would be a nice project to create a program doing
this. Up to now i do not have a real good idea on how to do it. Well, letīs
see...

Greetings
Siegfried Gipp