From owner-freebsd-security  Wed Aug 12 08:15:34 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA09471
          for freebsd-security-outgoing; Wed, 12 Aug 1998 08:15:34 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from www.scancall.no (www.scancall.no [195.139.183.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA09463
          for <freebsd-security@FreeBSD.org>; Wed, 12 Aug 1998 08:15:30 -0700 (PDT)
          (envelope-from Marius.Bendiksen@scancall.no)
Received: from super2.langesund.scancall.no [195.139.183.29]
	by www with smtp
	id HHPNCOFJ; Wed, 12 Aug 98 15:15:01 GMT
	(PowerWeb version 4.04r6)
Message-Id: <3.0.5.32.19980812171253.00964bc0@mail.scancall.no>
X-Sender: Marius@mail.scancall.no
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Wed, 12 Aug 1998 17:12:53 +0200
To: bmah@CA.Sandia.GOV
From: Marius Bendiksen <Marius.Bendiksen@scancall.no>
Subject: Re: UDP port 31337 
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <199808121458.HAA17389@stennis.ca.sandia.gov>
References: <Your message of "Wed, 12 Aug 1998 23:12:22 +1200."             <Pine.BSF.3.96.980812225354.21008E-100000@aniwa.sky>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>I haven't seen the words "Internet" and "centralised" (for me that would be 
>"centralized") in the same sentence for awhile.  :-)

How come that doesn't surprise me? ;)

>I don't think you were suggesting this, but this story points out the need
to 
>be careful with completely automated attack reporting systems.

Yeah... :)

We wouldn't want that.

But, as you pointed out, I didn't suggest this. What I suggested was
simulating
the presence of exploitable features in the system, and logging attempts to
use
such exploits.  For starters, a daemon to emulate the presence of Back
Orifice,
which would have configurable attack-report levels and responses. If
someone is
trying to do the BO equivalent of rm -rf / on your system, they're
attacking. I
will *not* be convinced that they  actually tried such a thing as _that_ to
get
a free PGP cracker ;)

I can, of course, see the problems associated with setting up something which
is too sensitive, as a port 23 connection detector of course would be.

---
Marius Bendiksen, IT-Trainee, ScanCall AS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message