From owner-freebsd-security  Mon Jan 29 23:54:41 2001
Delivered-To: freebsd-security@freebsd.org
Received: from imo-r14.mx.aol.com (imo-r14.mx.aol.com [152.163.225.68])
	by hub.freebsd.org (Postfix) with ESMTP id 5E93537B4E0
	for <freebsd-security@freebsd.org>; Mon, 29 Jan 2001 23:54:19 -0800 (PST)
Received: from FBSDSecure@aol.com
	by imo-r14.mx.aol.com (mail_out_v29.5.) id n.36.115ac9de (16785)
	 for <freebsd-security@freebsd.org>; Tue, 30 Jan 2001 02:54:10 -0500 (EST)
From: FBSDSecure@aol.com
Message-ID: <36.115ac9de.27a7cd22@aol.com>
Date: Tue, 30 Jan 2001 02:54:10 EST
Subject: Re: (no subject)
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: AOL 5.0 for Windows sub 120
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In a message dated 1/28/01 2:29:59 AM Pacific Standard Time, 
kris@obsecurity.org writes:

> > addresses are valid and which are not.  So spoofing an IP address is 
pretty 
> 
>  > close to impossible from a Dialup, xDSL, or cable modem.  Another thing 
to 
> 
>  
>  Wrong. If this were true, packet-flooding based denial of service
>  attacks would be almost impossible since they would be easily blocked
>  and traced. The sad fact of the matter is that the majority of
>  networks on the internet today, including ISPs do not implement egress
>  filtering.
>  
>  > point out though is if a hacker were to spoof his IP address and do a 
port 
> 
>  > scan, what would be the point?  The data is useless if it can't get back 
> to 
>  > the individual.  Besides, the portsentry package has a ignore file.
>  
>  You miss the point: the attacker won't get any information back out of
>  it, but if you have a fascist response to port scans which blackholes
>  all traffic coming from the IP address of the port scan, the attacker
>  can spoof the packets to come from a server which is critical to the
>  operation of your machine, such as your ISP's DNS servers, or mail
>  servers, which will cause your machine to blackhole them and thereby
>  shoot itself in the foot. At a lower level of annoyance, you can
>  blackhole popular websites like google which the user might use.
>  
>  The point is that automated active response is almost always a bad
>  idea, because it can be fooled into doing more harm than good.
>  
>  Kris
>  
>  

Then why doesn't the ISPs use egress filtering?  To me it would stop alot of 
the junk that is going on in the internet.  Like I said, all critical IPs are 
placed in the ignore file.  The DNS and email servers I did not consider, but 
they will be added.  Thanks for the tip.

Dan.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message