[1680] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: New Program: Abacus Sentry - Port Scan Detector

daemon@ATHENA.MIT.EDU (Michael H. Warfield)
Wed Dec 10 14:21:30 1997

From: "Michael H. Warfield" <mhw@wittsend.com>
In-Reply-To: <Pine.LNX.3.96.971207225655.17895B-100000@guardian.htu.tuwien.ac.at> from ther at "Dec 7, 97 11:01:27 pm"
To: linux-security@redhat.com
Date: Tue, 9 Dec 1997 09:29:53 -0500 (EST)
Cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

ther enscribed thusly:
> On Fri, 5 Dec 1997, Craig H. Rowland wrote:
> 
> > 	- Add the target host to the local Linux filter list using
> > 	  ipfwadm.
> > 
> > 	- Drop the route to the target host via the route command.
> abacus (as described) would kill all connections to a host which
> portscans him. so an attacker would be able to kill any connection to
> any host by spoofed UDP packages. 

	Interesting point.  Triggering any sort of defensive action based
on UDP would open up a new class of denial of service attacks...

	Solution:

	Block all UDP anyways, outside of very selected connections
such as to your nameservers and timeservers.  There isn't much UDP
of real use outside of those anyways.  I totally block all UDP at
my firewalls (yeah RealAudio gets toasted - tough).  DNS and NTP get
handled by specific hosts so I can keep tight control over their access.

	Then you can set up the kill by route action to be triggered
only on TCP port scanning, which would then require fully connected
sessions.  Since Linux is NOT sequence number predictable, an attacker
would play hell spoofing a port scan via TCP.

	However...

	Because accept behaves differently on Linux than on many other
flavors of UNIX, you would have to be extremely careful not to let failed
connections trigger the kill behavior though.  On Linux, if someone does
a "stealth scan" of the TCP ports by issuing a raw "SYN" packet but then
resets the connection before a session is fully connected, the accept
still returns a socket.  You subsequently get a SIGPIPE when you try and
access the socket.  This caused some entertaining headaches with inetd
crashing if the internal services such as "time" got stealth scanned.
If this problem also exists in abacus, this would allow a knowledgable
attacker to spoof a TCP steath scan and cause the same sort of denial
of service as spoofing a UDP scan.

	This is worth checking out and specifically avoiding if the
avoidance code does not already exist.

	I've downloaded abacus but have not had the time to look at the
code as yet.  The possibilities of creating denial of service attacks
like this, open up some new interest though...

> bye,
> 	therapy
> 
> -- 
> ----------------------------------------------------------------------
> Please refere to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post