From owner-freebsd-security  Thu Aug 13 14:06:16 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA16302
          for freebsd-security-outgoing; Thu, 13 Aug 1998 14:06:16 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16295
          for <freebsd-security@FreeBSD.ORG>; Thu, 13 Aug 1998 14:06:14 -0700 (PDT)
          (envelope-from jal@ThirdAge.com)
Received: from gigi (budd.ThirdAge.com [204.74.82.199])
	by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id OAA10748;
	Thu, 13 Aug 1998 14:01:00 -0700 (PDT)
Message-Id: <3.0.5.32.19980813140328.00a9f700@204.74.82.151>
X-Sender: jal@204.74.82.151
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Thu, 13 Aug 1998 14:03:28 -0700
To: Nicholas Charles Brawn <ncb05@uow.edu.au>, Brett Glass <brett@lariat.org>
From: Jamie Lawrence <jal@ThirdAge.com>
Subject: Re: UDP port 31337
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.SOL.4.02.9808131048280.17130-100000@banshee.cs.uow.ed
 u.au>
References: <199808121700.LAA00346@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:51 AM 8/13/98 +1000, Nicholas Charles Brawn wrote:
>On Wed, 12 Aug 1998, Brett Glass wrote:

[Attack software musings deleted]

>The company formerly known as SNI (now integrated into NAI) wrote a
>paper on Intrusion Detection Systems a while ago which discouraged this
>attitude. Their argument focused on the fact that what if someone
>*knows* that this is the response that will be sent if your daemon
>detects a connection attempt. Don't forget how easily udp packets can be
>forged...

Automated attack software is a very bad idea. Not only can it be used
against bystanders, it can also be tripped accidentally by someone
completely innocent.

Traps which are intended to defend property in the physical world
are illegal in most countries for a very good reason: they have no
way of knowing intent, and strike blindly. The same goes for software.
Arguments along the lines of "they wouldn't be attaching to port 31337
for any other reason", etc. are silly, if you think about it.

Security software, IMO, should only ever log, notify, and (in some
situations) disable services. If an admin thinks an counter-attack
is appropriate, they should do it manually (after thinking it over
very, very carefully).

-j

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message