From owner-freebsd-security  Fri Mar 15 13:53:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 1FFA437B402
	for <freebsd-security@freebsd.org>; Fri, 15 Mar 2002 13:53:12 -0800 (PST)
Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id 0E7261E38; Fri, 15 Mar 2002 21:53:08 +0000 (GMT)
Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1])
	by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g2FLqM901129;
	Fri, 15 Mar 2002 22:52:22 +0100
Date: Fri, 15 Mar 2002 22:52:21 +0100
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: "Mark Foster" <mdf@enic.cc>
Cc: freebsd-security@freebsd.org
Subject: Re: Is PortSentry really safe to use?
Message-Id: <20020315225221.043fe3b8.kzaraska@student.uci.agh.edu.pl>
In-Reply-To: <1016228221.10601.69.camel@smokey.lan.enic.cc>
References: <2332.213.112.58.232.1016226432.squirrel@phucking.kicks-ass.org>
	<02031521302303.03229@germanium>
	<1016228221.10601.69.camel@smokey.lan.enic.cc>
Organization: University Of Mining And Metallurgy
X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 15 Mar 2002 13:37:00 -0800 Mark Foster wrote:

> This attack (spoofing) can be circumvented by using ingress filtering on
> your router or firewall.

Not in all cases. A (partial) DoS can still be achieved by spoofing attack
from external machines the network in question relies on, like DNS servers
or HTTP proxies. 

An 'active response' mechanism in IDS can be valuable, provided it does
not trigger on easily spoofable probes. 

-- 
// Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl
// Prelude IDS: http://www.prelude-ids.org/
// A dream will always triumph over reality, once it is given the chance.
//		-- Stanislaw Lem



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message