Security Incidents mailing list archives
Re: traffic logging
From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Mon, 8 May 2000 13:25:46 -0500
Hello, I'm the author of the PortSentry software and would like to add some comments to this thread.
Humm... I don't much care for PortSentry's retaliation sequence. The suggested action (blocking the route, adding offending host to hosts.deny, setting up a firewall rule to deny all traffic coming from the offending host) really turns me off - it creates a nice, simple DoS on it's own.
A lot of people say this and the scenario is stated many times in the software documentation in the interest of full-disclosure for the user.
Fromthe actual field-use perspective, I've never heard of this problem
being a serious issue from any user at all. In other words I've had absolutely zero complaints of actual attacks doing this that weren't related to direct hostile activity against a host. The DoS issue is simply not relevant from the field deployments I've seen. FWIW.
After obtaining shell access to some of the DMZ servers we simply telnetted to one of the 'decoy' ports on the admins PortSentried gateway, once from each of the machines.
Well I don't recommend that people ignore any systems on their network. The premise to this is that friendly systems may be compromised and could be used as launch points to attack other internal hosts. This sounds like that case exactly. I suspect that the admin in this case was a little too lazy and didn't follow up on the alarms. I know that I'd certainly be suspicious if one of my DMZ machines was portscanning me (especially if nothing like that has happened before). In defense of the software, I think it performed as expected by alerting the administrator to trouble. There is only so much you can do though if the admin fails to follow-up on what obviously is a very out of place situation.
Note that there were many mistakes and misconfigurations on his part, but ones made solely on the errant premise that his own machines would not attack him. Which is quite foolish to believe.
I agree that this was his main problem. I think the first rule of good computer security is to never trust anything. -- Craig Main Page http://www.psionic.com Jobs! http://www.psionic.com/misc/career
Current thread:
- Re: traffic logging Scott McClelland (May 01)
- <Possible follow-ups>
- Re: traffic logging Damian Gerow (May 03)
- Re: traffic logging spiff (May 08)
- Re: traffic logging Craig H. Rowland (May 08)
- Re: traffic logging Jason Baker (May 08)
- Re: traffic logging spiff (May 08)
- Re: traffic logging Robert G. Ferrell (May 03)
- Re: traffic logging Erich Meier (May 04)
- Re: traffic logging Damian Gerow (May 09)