Date: Thu, 13 Aug 1998 14:03:28 -0700 From: Jamie Lawrence <jal@ThirdAge.com> To: Nicholas Charles Brawn <ncb05@uow.edu.au>, Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 Message-ID: <3.0.5.32.19980813140328.00a9f700@204.74.82.151> In-Reply-To: <Pine.SOL.4.02.9808131048280.17130-100000@banshee.cs.uow.ed u.au> References: <199808121700.LAA00346@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:51 AM 8/13/98 +1000, Nicholas Charles Brawn wrote: >On Wed, 12 Aug 1998, Brett Glass wrote: [Attack software musings deleted] >The company formerly known as SNI (now integrated into NAI) wrote a >paper on Intrusion Detection Systems a while ago which discouraged this >attitude. Their argument focused on the fact that what if someone >*knows* that this is the response that will be sent if your daemon >detects a connection attempt. Don't forget how easily udp packets can be >forged... Automated attack software is a very bad idea. Not only can it be used against bystanders, it can also be tripped accidentally by someone completely innocent. Traps which are intended to defend property in the physical world are illegal in most countries for a very good reason: they have no way of knowing intent, and strike blindly. The same goes for software. Arguments along the lines of "they wouldn't be attaching to port 31337 for any other reason", etc. are silly, if you think about it. Security software, IMO, should only ever log, notify, and (in some situations) disable services. If an admin thinks an counter-attack is appropriate, they should do it manually (after thinking it over very, very carefully). -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980813140328.00a9f700>