> -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > I don't think active defense (this way at least) is a good idea. > Yep, it sounds cool and looks like advanced technology ;) but imho > it adds little to security and opens many new DoS possibilities. You know *everybody* says this. In fact when I first wrote the tool I only had it do full TCP connect() detection to prevent this issue. Later when I added the UDP and stealth modes (which are susceptible to spoofed scans) I thought that I was going to be causing a major headache for users and labeled the modes as "experimental" (aka. "I can pull this feature out anytime I want without reason"). What I re-discovered though is that reality and theory are many times mutually exclusive. I released the tool with the new modes and waited for the onslaught. I expected some people to balk and present the idea of the DOS attack. I expected others to release tools to attack the system. In fact both happened. Someone released a tool called "antisentry.c" which just did a simple port scan spoof. Even better, the popular scanner "nmap" added its "decoy" option specifically because of the PortSentry tool[1]. So, what was my response? I waited. I was waiting to hear the user complaints come rolling in asking me about the problem and telling me about the DOS attacks. I was waiting for the flame mail. Lastly, I was basically waiting for the sky to fall. So you ask how many complaints have I received to date, almost two years after releasing the tool referring to DOS attacks? Zero. Yes that's right, *nobody* has ever written me about having a DOS done on them with the tool. Does this mean that people don't use this technique? Well of course not, but I don't think it is as big as issue as the theorists claim if a proper sense of caution is used. In the documentation I explain the DOS issue quite clearly and issue scenarios and motives on why I think the attack won't be prevalent. Here they are again in a nutshell: 1) A person using a stealth scan wants to remain hidden. 2) A spoofed scan reveals the intent of an attacker without allowing them access to the network. 3) Many networks don't allow spoofed packets appearing from other networks to exit their borders (anti-spoof filters). 4) Decoy scanning slows down wide-spread scanning and makes you more noticeable from the compromised hosts. 5) Most attackers don't know you run PortSentry until they have activated it. So basically you need to look at why an attacker is spoofing scans and what it buys them. Usually it buys them nothing and lets the administrators know someone is there, even if that someone is a forgery. I know some people have had a PortSentry DOS used against them, but this usually was by people they know, or in a situation where they shouldn't be using the spoofable scan detection methods. Typically they were on IRC and one of their friends decided it would be funny. Keep in mind too that I only recommend the full connect() TCP scan detection mechanism because full connect blind spoofs are relatively difficult to do (even though Linux has had some issues with this lately). Also most scan attempts are not stealth scans, they are full connections to help grab banners or to auto-run an attack for instant access. I think if you are a high profile site you shouldn't run the stealth scan detection modes because of the critical nature of services you may provide (i.e. I don't run the stealth/UDP detection modes on my external servers). For most users though, you are fine running the stealth modes because most people scanning your host are not out to DOS you, they are out to get onto your system. So what is the lesser of the two evils? I personally feel that the (very) small chance of a DOS attack is far outweighed by the potential to automatically stop the attacker in his/her tracks. The choice is the end user's though on what they want to do: 1) Run the tool with the spoofable detection modes (UDP, stealth). 2) Run the tool with the non-spoofable detection modes (TCP full connect). 3) Don't run the tool with auto-blocking turned on. 4) Don't run the tool at all. As hard as it is going to be for the theorists to accept, the reality is that not many people are using PortSentry to DOS others. Sorry to disappoint. -- Craig [1] Fyodor was at my talk at DefCon and we chatted for a bit afterward and he said PortSentry was what made him put in the "decoy" option. Does this mean I get a mention in the credits file? :)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:03 PDT