[Snort-users] Fun with IPF and Snort

thomas r stromberg tstromberg at ...330...
Tue Mar 20 08:24:30 EST 2001


On 19-Mar-2001, Phil Wood popped this into my mailspool:
>    I take it you have taken this into account:
> 
>    % attack -s 66.26.231.27 -d 66.26.231.27 -forever

   I run as an inetd service, so I react no differently then say,
   telnetd with a large banner. Now, since there is no detail in your
   demo attack, I'll just break down the possibilities.

   Because I act like any other inetd service, that attack would just
   as well work on ftpd. The only difference I have is, well, I send a
   very large banner.

   inetd protects me, because I have it set to a maximum of 5
   connections from a host per minute (-C), and 16 connections per
   minute to a service (-R). These limits are real low because, If I'm
   getting that many, obviously the attacker is dropping the connection
   real quick, rather then suffering any wrath ;) FreeBSD's inetd has
   great rate limiting controls, check out the manpage.

   If someone manages to spoof a complete 3 way TCP transaction, and
   gets me to flood some other poor guy, well. The internet has other
   problems to worry about if it's that easy to spoof the entire
   transaction against FreeBSD 4.2. 

   If someone manages to just spoof a SYN, well... I'm no guru, but I
   believe inetd will only exec() the program if a full transaction is
   recieved. Otherwise, at most I load 16 of these things a minute,
   assuming multiple spoofed sources. They sit at niceness 20 on a dual
   processer machine, and since no real connect is at the other end,
   they won't do much traffic wise other then try to complete the
   transaction.

   However! You are right in your assumption of what I did not take
   account. Since I log all SYN packets to that host, well, I could
   look like I'm attacking myself if someone spoofs me, and fill up
   mysql forever. But.. I'd rather log myself to death then not log at
   all I guess.

   Of course, I still may be missing something.

-- 
: Thomas Stromberg                      work> tstromberg at ...330...  :
: Research Triangle Commerce (ICC.net)  home> thomas at ...1617... :

'Every word is like an unnecessary stain on silence and nothingness' 
    -- Beckett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010320/2bfad38f/attachment.sig>


More information about the Snort-users mailing list