From owner-freebsd-security@FreeBSD.ORG  Wed Nov 23 23:17:01 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 16E0516A420
	for <freebsd-security@freebsd.org>;
	Wed, 23 Nov 2005 23:17:01 +0000 (GMT)
	(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EBD2A43D6B
	for <freebsd-security@freebsd.org>;
	Wed, 23 Nov 2005 23:16:58 +0000 (GMT)
	(envelope-from marquis@roble.com)
Date: Wed, 23 Nov 2005 15:16:58 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20051123120058.DAA3C16A484@hub.freebsd.org>
Message-ID: <20051123150509.P90242@roble.com>
References: <20051123120058.DAA3C16A484@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: Re: Need urgent help regarding security
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2005 23:17:01 -0000

Lowell Gilbert wrote:
>> Not sure I agree with the easily part..  TCP transport plus SSH
>> protocol spoofing is not a vector that normally needs to be secured
>> beyond what is already done in the kernel and router.  That's not to
>> say such spoofing cannot be done, just that it is rare and would
>> require a compromised router or localnet host at a minimum.
>
> Except that it doesn't require spoofed addresses.  One attacker from the
> local university's computer center (or from a large shell service ISP)
> could lock out all of the other users on that machine.  Trivially.

And that's exactly what you want.  The alternative is to let the
dictionary attack continue unabated.

At least once the blackhole is up, and notices sent, the target
host's admins can contact the attacking host's admins to shutdown
the account or process running the scan.

If nobody is monitoring the IDS alerts that's a different problem.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/