[Snort-users] Fun with IPF and Snort (OT?)
shawn . moyer
shawn at ...1184...
Mon Mar 19 15:34:45 EST 2001
Gregor Binder wrote:
> > Marcus Ranum also had a cool idea about building scripts that redirect
> > attacks back to the attacker's own box, so that they actually root
> > themselves. :)
>
> .. and make yourself a relay for attacks for people that can fake source
> addresses :(
Yeah, that was sort of the reason that his idea hadn't been used in
practice. I was more bringing it up anecdotally b/c it's a neat idea
concept if not 100% feasible.
Yours is of course the accepted answer as to why auto-responding tools
and automated attack response aren't feasible.
> Please don't forget that there is a thing called spoofing, and you might
> be setting yourself up as part of another attack.
Of course dropping LSRR and SSRR packets helps a lot of this. A tool of
this nature could still be written (just to play devil's advocate) if it
depended on three-way handshake and a valid session, since pseudo-random
ISN's and all the other bit-twiddling most folks do means that most
spoof attempts these days are one-way only.
--shawn
--
s h a w n m o y e r
shawn at ...1184...
The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.
-- Zelazny
More information about the Snort-users
mailing list