Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Feb 2009 15:09:36 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Bakul Shah <bakul@bitblocks.com>
Cc:        net@freebsd.org
Subject:   Re: A more pliable firewall 
Message-ID:  <20090221135053.J46613@sola.nimnet.asn.au>
In-Reply-To: <20090220205003.301AB5B3E@mail.bitblocks.com>
References:  <20090220055936.035255B1B@mail.bitblocks.com> <alpine.BSF.2.00.0902201024090.18688@nys.njf-arg.bet.hn> <20090220235840.I46613@sola.nimnet.asn.au> <20090220205003.301AB5B3E@mail.bitblocks.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Feb 2009, Bakul Shah wrote:
 > Thanks to everyone who responded.  Looks like all the pieces
 > to do this exist.  All I have to do is to package it all in
 > one program "sheriff" that watches various log files and
 > pulls the trigger on the bad guy(s) at appropriate time.

Wild West imagery indeed :)

 > I think I will add a program to keep running stats on *all*
 > the tcp/udp senders to find all those annoyingly pesky repeat
 > senders who have no business talking to my network.

Be prepared for a very, very large list!  Maybe needing some sort of 
tree/trie or hashing algorithm to handle quickly as it grows.  You'll 
also need some expiry mechanism after a period, as many if not most of 
these are transient scans from infected 'doze boxes, trojans du jour.

And that after you've ignored the near-constant 'background radiation' 
from 'doze boxes to eg TCP dst-ports 135,139,445,1433 and others, and 
UDP dst-ports 135,137,138,1433,1434,1900 etc; no use chasing such more 
or less constant misconfigs, they'll only mask more interesting stuff.

 > What would be nice is a standard interface to report
 > suspicious failures (sort of like syslog).  If the same guy
 > sends N DNS requests for the same thing and every request
 > fails, chances are he is a bad guy (or a zombie acting on
 > behalf of one).  Perhaps some day a trusted network of such
 > daemons can be used to "back pressure" the closest ISP to the
 > sender -- who can then shut him down for a while.

One note of caution: TCP is straightforward enough, the three-way 
handshake verifying the source address (if it proceeds to connection).
However it's trivial to forge UDP source addresses, as the recent DNS 
amplification attacks I mentioned amply demonstrate.

In such cases, the address appearing to be sending DNS requests logged 
as, say, "address#port query (cache) './NS/IN' denied" is the *victim* 
of such attacks, and blocking all access to/from such addresses, often 
nameservers of large ISPs, amounts to shooting yourself in the foot as 
well as further punishing the victim - the unknown attacker's intention!

In that case it's sufficient to block 'from $victim to $me 53', still 
allowing $me to query their nameservers, eg to send them some mail :)

good luck,

Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090221135053.J46613>