From owner-freebsd-security Wed Dec 8 14:46:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 034C115264 for ; Wed, 8 Dec 1999 14:46:23 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id RAA13826 for ; Wed, 8 Dec 1999 17:46:17 -0500 (EST) Message-Id: <4.2.2.19991208173403.00be7790@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 08 Dec 1999 17:46:17 -0500 To: freebsd-security@FreeBSD.ORG From: "Scott I. Remick" Subject: Re: What kind of attack is this? In-Reply-To: References: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:25 PM 12/8/99 -0500, Robert Mooney wrote: >What about changing that machine's IP, I was going to do that, but wanted to observe for a while. It wasn't an important system, and I can't learn anything if I can't watch it in action. >or throwing up a temporary firewall >in between the outside and this machine (sounds illogical, but possible, >especially in a situation where a temporary fix is needed ASAP)? I've got a firewall already built up. But like I explained in another post, although I'd like to just drop it in, it's not quite that easy. >Are people on the net supposed to be able to get to this machine? Yes. I don't have a lot of pull, and the powers that be here sway more towards giving individual employees the power to do just about anything they want over the internet and security takes a back seat. Just getting everyone to let me install AV software is like pulling teeth. So the firewall solution will end up being open by default, and blocking that which is bad. >What machines in your militarized zone do you have that require incoming >UDP packets that don't send outgoing UDP packets first? Well that's a tricky one. How do you set up a filter/rule to figure THAT out? (whether a UDP packet coming in from a host was in response to one it received earlier) Some of the things we have going on here that use UDP are ICQ, NTP, and DNS. I believe RealPlayer uses UDP too. Probably others. >IPF is neato in this respect, as you can block all incoming UDP, yet >give outgoing UDP state. Yeah, I know... but IPF isn't happening right yet. My priority is to figure out a name for this sort of attack so I can communicate intelligently and read up more about it, and figure out how to trace it. Blocking it will happen but isn't as critical because 1) it's not targeted towards an important system, and 2) the firewall WILL come which WILL fix this, I know. I suspect this to be a retaliation of a personal nature from someone against one of our employees. >Yes, definately block everything except what's needed. And then question >yourself and others on what really is needed. Which is what I'd like to do, but what I like to do and what needs to be done here are seldom the same thing. I will push for a closed-firewall but it'll probably end up being open by default when it goes up. >If Ascend's ruleset isn't as flexible as you'd like, you could probably >set up a BSD box on the local network side of the Ascend, and use it as a >firewall. Seriously consider IPF. I am, I am, I am... but in the interim... :) ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message