[Snort-users] Fun with IPF and Snort
thomas r stromberg
tstromberg at ...330...
Tue Mar 20 08:24:30 EST 2001
On 19-Mar-2001, Phil Wood popped this into my mailspool:
> I take it you have taken this into account:
> % attack -s 220.127.116.11 -d 18.104.22.168 -forever
I run as an inetd service, so I react no differently then say,
telnetd with a large banner. Now, since there is no detail in your
demo attack, I'll just break down the possibilities.
Because I act like any other inetd service, that attack would just
as well work on ftpd. The only difference I have is, well, I send a
very large banner.
inetd protects me, because I have it set to a maximum of 5
connections from a host per minute (-C), and 16 connections per
minute to a service (-R). These limits are real low because, If I'm
getting that many, obviously the attacker is dropping the connection
real quick, rather then suffering any wrath ;) FreeBSD's inetd has
great rate limiting controls, check out the manpage.
If someone manages to spoof a complete 3 way TCP transaction, and
gets me to flood some other poor guy, well. The internet has other
problems to worry about if it's that easy to spoof the entire
transaction against FreeBSD 4.2.
If someone manages to just spoof a SYN, well... I'm no guru, but I
believe inetd will only exec() the program if a full transaction is
recieved. Otherwise, at most I load 16 of these things a minute,
assuming multiple spoofed sources. They sit at niceness 20 on a dual
processer machine, and since no real connect is at the other end,
they won't do much traffic wise other then try to complete the
However! You are right in your assumption of what I did not take
account. Since I log all SYN packets to that host, well, I could
look like I'm attacking myself if someone spoofs me, and fill up
mysql forever. But.. I'd rather log myself to death then not log at
all I guess.
Of course, I still may be missing something.
: Thomas Stromberg work> tstromberg at ...330... :
: Research Triangle Commerce (ICC.net) home> thomas at ...1617... :
'Every word is like an unnecessary stain on silence and nothingness'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 230 bytes
Desc: not available
More information about the Snort-users