[techtalk] Security techniques ( Redhat 6.2 question)

Melissa Plunkett mplunkett at tranquility.net
Sun May 28 23:57:14 EST 2000 

Jamie,

You are quite correct in what you pointed out below.  The mode
of portsentry I was refering to is the "stealth" mode and is just
one of many options.  Anyhoo the issue you brought up is addressed
directly in the documentation that comes w/ portsentry.  Since the
documentation states the arguments better than I can here here is the
relevent section:

"As stated in several places, it is possible that an attacker can forge
packets to appear from any host and can use this to trick PortSentry
into
activating against the forged host IP. This can cause a variety of
problems in theory such as blocking gateways or name servers.

Sometimes though theory and reality just don't mix. The reality is
that not many people I've seen are using this tactic. In fact recent
versions of nmap even put in a "decoy" feature which I can only assume
was
prompted by the release of PortSentry. This feature uses a list of
forged
hosts to try to conceal the real culprit. The theory being that the
attacker is hidden in a list of chaff and the port scan detector is
blocking everyone thereby making it ineffective.

Well arguments can be made all day on the pluses and minuses of
auto-blocking hosts. When the theory is examined, the reality
sets in which shows through my own (informal) observations that your
chances of someone doing this to you are small. In fact I think that
it is small enough that if you are considering running the stealth
scan detection on a small *not-well-known* host the benefits outweigh
the risk. Why is this? Well:

1) The person port scanning you doesn't want to be found, that is why
they
are "stealth" scanning you to begin with. It is kind of silly to spray
false packets at a host during the scan as this only increases the
chances of being spotted and no matter what gets your host blocked
anyway.

2) Spraying X number of additional packets slows your scan down by a
similar amount. Most attackers are going for quantity, not quality. They
want a scan to finish ASAP and with the least amount of noise.

3) Many networks now deploy anti-spoof filters which will prevent
"decoy"
packets from exiting the border routers due to a bogus source address
not
on the network. This means an attacker going through an ISP or similarly
clueful network will cause many router log messages to be generated and
will certainly grab attention of any aware admin from the originating
network. This also means the decoy packets won't make it to your host
and
the real scanning host is revealed.

4) Even if the intruder is smart and uses decoy addresses from the local
subnet to allow them to exit the network it still raises a red flag that
a network administrator will know where to start. Despite what people
think, it's not *that* hard to find out which of 10 (or whatever)
possible
hosts are compromised and doing a port scan.

Does this mean you are risk free?? No. But I have not received a
single complaint so far about people using forge scan tactics on
a widespread basis (in fact I haven't received a *single* complaint
of this tactic being used at all). So for the time being (as of
this writing) you are probably OK if you look at all the facts."

So as you an see this has indeed been pointed out.  Later in the
documentation the author notes he uses this on boxes that are
"internal hosts".  Hence if the person who originally asked
the question had been refereing to a server that hosted a
well known web site I would never have used the stealth mode 
as an example but since it was a home box this would help 
to keep out the prying eyes and help to keep the original
posters mind at ease.  

-Melissa

Jamie Walker wrote:
> 
> Melissa Plunkett wrote:
> 
> > configurable, for example you can handle port scans by
> > using the feature that adds the offending ip to the
> > hosts.deny list.  Therefore you get both an email from
> > logcheck and the added benefit of having the ip blocked
> > which is good since by the time you read the email from
> > logcheck the person might have already compromised your
> > box.
> 
> This is unfortunately a rather dangerous thing to do; it would be possible to
> spoof the source address to be that of a legitimate user, and presto, a
> denial-of-service in which you twist the knife yourself.
> 
> --
> Phone: +64-9-373-7599 x4679     Room: 2.316, E&EE Dept, School of Engineering
>  Work: jj.walker at auckland.ac.nz Home: jwalker at paradise.net.nz
>   ICQ: 5632563                  or shout loudly

More information about the Techtalk mailing list