[Snort-users] Fun with IPF and Snort (OT?)

shawn . moyer shawn at ...1184...
Mon Mar 19 15:34:45 EST 2001


Gregor Binder wrote:

> > Marcus Ranum also had a cool idea about building scripts that redirect
> > attacks back to the attacker's own box, so that they actually root
> > themselves. :)
> 
> .. and make yourself a relay for attacks for people that can fake source
> addresses :(

Yeah, that was sort of the reason that his idea hadn't been used in
practice. I was more bringing it up anecdotally b/c it's a neat idea
concept if not 100% feasible.

Yours is of course the accepted answer as to why auto-responding tools
and automated attack response aren't feasible.
 
> Please don't forget that there is a thing called spoofing, and you might
> be setting yourself up as part of another attack.

Of course dropping LSRR and SSRR packets helps a lot of this. A tool of
this nature could still be written (just to play devil's advocate) if it
depended on three-way handshake and a valid session, since pseudo-random
ISN's and all the other bit-twiddling most folks do means that most
spoof attempts these days are one-way only.








--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny




More information about the Snort-users mailing list