[Snort-users] how to block an attacker.

Gregor Binder gbinder at ...462...
Thu Apr 5 04:00:53 EDT 2001

Yonah Russ on Wed, Apr 04, 2001 at 09:35:02PM +0200:


> I don't personally believe in this approach but the truth is that
> depending on your situation, this might not result in a
> DOS attack in any case- depending on your situation. If you __don't__
> automaticaly block any internal ip's or any external ip's that are known
> to be crucial to your systems, you might get away with something like
> this.

DoS doesn't have to only refer to systems your systems depend on. If you
provide some service to the world, there is a lot of potential that
somebody abuses the blocking mechanism to prevent legitimate users from
accessing it. Spoofing the addresses of big ISP proxy caches for example
could be very effective.

I would love to be able to respond to attacks in an automated fashion,
but I don't think it should be done based on NIDS information. A good
idea would be to have C2 auditing enabled, look for things like illegal
root transitions, and block people based on that. Or on Solaris, you
could use syslog events that indicate that somebody tried to execute on
the user stack. In other words, react on system events that are very
very unlikely to be false positives. OTOH, it may be tough to relate
these to a particular source address.


Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55

More information about the Snort-users mailing list