From owner-freebsd-security Sun Mar 26 5:30:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from nscache2.x-treme.gr (mail1.x-treme.gr [212.120.196.23]) by hub.freebsd.org (Postfix) with ESMTP id 8D79D37B797 for ; Sun, 26 Mar 2000 05:30:05 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat41.x-treme.gr [212.120.197.233]) by nscache2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id QAA24201; Sun, 26 Mar 2000 16:29:46 +0300 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id QAA06227; Sun, 26 Mar 2000 16:17:22 +0300 (EEST) (envelope-from charon) Date: Sun, 26 Mar 2000 16:17:22 +0300 From: Giorgos Keramidas To: John Fitzgibbon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs Message-ID: <20000326161722.A5903@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <003801bf9688$87418540$040ba8c0@fitz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <003801bf9688$87418540$040ba8c0@fitz>; from fitz@jfitz.com on Sat, Mar 25, 2000 at 10:31:10AM -0800 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 25, 2000 at 10:31:10AM -0800, John Fitzgibbon wrote: > > I decided to start publishing my firewall logs on the web > http://63.194.217.126/logs/ > > My thinking is that to identify the root, (excuse the pun), source of > distributed attacks, administrators need access to a broad set of logs. This could help, some times. But it can only help when packets that we need to identify, were not forged at their source. > I'm aware of the obvious counter-argument that any information you > make available creates a risk. I'm also aware of this, and I always was, but I still chose to publish on the web the way my ipfw rules were written. Having someone know by first hand what's allowed and what not, is a bit too much of information to give. However, I've received so many personal e-mails that thanked me for `having such a helpful page on ipfw' or something along these lines, that I think it's worth the risk :) > This is basically what I'm looking for feedback on -- Is this > information useful? The obvious counter-counter-argument of what you mentioned, is also useful here. "Any kind of information is useful now or `possibly' useful in the future." What you're discussing of doing, is dangerous though. Despite the fact that it would be nice to know that a certain IP address has been the source of several distributed attacks during the past few months/years, there is always the danger of 'blacklisting' the wrong people. I have to admit, that in giving the information away, you have not made any implicit assumptions on the way it should be used, or what could be done with it. However, it would be a very sad thing if using such information as evidence would result on someone being accused of being the source of distributed attacks, especially if the accused one had nothing to do with it, apart from being the network 'bridge' for the packets comprising the attack. As it should be obvious by now, having the information readily available is one thing. Dictating how and why it should be used is most of the time another, totally different thing. Just thing of the efforts done to stop spammers. The information is there. The lists of open relays are there. Anyone who wants to use them can go ahead and blackhole entire domains, company networks, hell even entire countries. The worst problems of these efforts though start when they start trying to think of a 'policy' for adding something to their list, and removing it after some checks have been done and passed successfully. What I mean here is, let's suppose you receive a lot of strange packets from the dialup users of an ISP. And you publish these logs. Then the ISP, having read your online logs, tries to stop such attacks, and fixes their router access lists, dropping those strange packets on the floor. Do you remove the relevant logs from the Web? Do you leave them as they are, and post a notice saying something to the effect of "but the nice and friendly techies of ISP A.B.C. did their best and stopped such attempts on their source"? Of course, it could get even trickier. Having some ISP block the strange packets, once they see your logs. Then they would post a notice to you, asking you in varying degrees of kindness, to remove the logs from the web. You fail to remove the logs in a reasonable amount of time, and they sue you, with a charge of spreading libels, and hurting their reputation. I do support the availability of such information, but please take care to avoid problems like those described above. Even a simple disclaimer paragraph stating that you're not suggesting in any way the use of this information, or that you do not take any responsibility on what others might do with it, would probably be enough. Then again, I'm no lawyer, and I'm probably mistaken in hypotheses about anything legal. - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message