Date: Tue, 21 Mar 2000 07:28:25 -0500 From: Mikel <mikel@upan.org> To: Paul Robinson <wigstah@akitanet.co.uk> Cc: Alexander Langer <alex@big.endian.de>, freebsd-net@FreeBSD.ORG Subject: Re: ipfw fwd to requester's ip Message-ID: <38D76AE9.3375FE3B@upan.org> References: <Pine.BSF.4.21.0003202245070.31205-100000@jake.akitanet.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------4E265260EC0A3E84013830CB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit As a admin for a moderately sized isp, it is nice to be able to capure all of that information, et ceterra... And there are enough simple methods of doing so, but unfortunately of the past 10 occurances...I've only receive 1 satifactory notice of termination from the offenders isp...most are sadly colo facilities that do not seem to take these things seriousl enough. On a side note, you can run ipfw/divert/stealth in combonation with tcpwrappers to accomplish any of these tasks. Wether it be recording the time stamp et ceterra, or altering your ruleset to reroute the scanners scans back at them...personally as much of a nusaince as it it is I prefer to let them scan and I still contact the offenders isp and go all through the motions...I just don't hold my breath any more...;| Paul Robinson wrote: > On Mon, 20 Mar 2000, Alexander Langer wrote: > > > Hello! > > Hi, > > > What does one have to use to fwd an tcp/udp packet to a given port > > back to the requester's address? > > OK, I'll sort of answer this, but please read all the mail, because what I > think you're proposing is bad for soooooo many reasons. > > Well, I read about 3 screens down the ipfw man page, and found a useful > section on fwd ipaddr [,port], although how you would specify the sender's > ip address and port in here dynamically is unknown to me at the > moment, and I suspect it can't be done. If you can find a way of logging > the packet (bad idea, see below), then you could have something watching > the log output, then fires off a script. You can use IPFIREWALL_VERBOSE to > help you do this, if you really want to, which you don't as I'm about to > explain: :) > > > I'm getting a whole bunch of 1234, 27374 and other trojaner's attacks > > these days, and I want to fwd back these packets to the attackers :-) > > (I want to see her faces :P) > > OK, this is possibly the worst thing you can do in this situation. I have > an IDS in place which throws up scans every now and again, and by far the > best way to do this is to capture the packets with accurate timestamps > using something like snort (http://www.clark.net/~roesch/security.html) > which will happily capture full packets that match the patterns you > describe. You then find out the administrators responsible for the IP > address you are looking at (whois -h whois.ripe.net XXX.XXX.XXX.XXX in > Europe, and IIRC it's whois.arin.net for US?), and send to > abuse@domainname.com... > > You see there are several reasons for doing this. First of all > administrators like me understand our users misbehave, and are of course > happy to scrape them over the hot coals as a result. Yes it's extra > workload, but in the same way I'll deal with my users, other admins will > deal with their users when they continually prod my servers for Back > Orifice. Also, it can actually signal a compromised server, i.e. it's one > of the admins servers that has been hacked, and this sort of prompting > will help them enormously. > > There is also the legal implications of what you're suggesting. In the UK > at least, a probe to a port that is not advertised as being available to > the public is illegal. In fact, it's the onus of the connector to a host > to show they are authorised to do so in a given manner. I.e, anybody in > the UK doing scanning can, theoretically, be prosecuted. If I start firing > packets back at them, they can prosecute them. It's best I just let the > packet get logged, and complain to their admins as netiquette suggests. > > Also, let's talk about the security implications in terms of > Denial-of-Service attacks here. I compromise box A, and I don't like you > who owns box B, so I start sending you 1,000 SYNs/sec to 31337 on box B > from box A. Not only do I run a good chance of DoS'ing you, because you're > processing and handling all this in the kernel in a special manner, but I > also DoS box A. Nice. Logging of these packets alone is mildly risky, as > theoretically filling up /var could be done by an attacker, but this is > nowhere near as bad as DoS'ing not only your own box, but somebody elses, > for which you will be blamed, you'll be the one that gets pulled off the > network, etc.... > > In short, yes it can theoretically be done, but you haven't looked hard > enough at the options available to you to do this, you haven't thought > about the implications, and when you do, you'll realise this is actually > quite a bad idea. Please, for your own sake, go and download and install > snort. It has the disadvantage of having to put the NIC into promiscuous > mode (which requires bpf devices to be enabled in the kernel and > MAKEDEV'd), which *slightly* slows the stack down, but otherwise it helps > you produce hard evidence to complain with in style about these > morons. :) > > Although it would be nice to 'see their faces', you won't because they're > miles away. What you will see is your box grind as it starts doing all > this dynamic processing, and lots of e-mail telling you you're a very > naughty man, and you're no better than the rest of the prats who do > this. :) > > -- > Paul Robinson - Developer/Systems Administrator @ Akitanet Internet > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Cheers, Mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Optimized Computer Solutions, Inc http://www.ocsny.com | 39 W14th Street, Suite 203 212 727 2238 x132 | New York, NY 10011 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Labor rates: Tech $125 hourly | Net Engineer $150 hourly | Phone Support $ 33 quarter hourly | Lost Password $ 45 per incedent +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | http://www.ocsny.com/~mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ --------------4E265260EC0A3E84013830CB Content-Type: text/x-vcard; charset=us-ascii; name="mikel.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mikel Content-Disposition: attachment; filename="mikel.vcf" begin:vcard n:King;Mikel x-mozilla-html:TRUE org:Optimized Computer Solutions version:2.1 email;internet:mikel@ocsny.com title:Procurement Manager tel;fax:2124638402 tel;home:http://www.upan.org/vizkr tel;work:2127272100 adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US x-mozilla-cpt:;0 fn:Mikel King end:vcard --------------4E265260EC0A3E84013830CB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38D76AE9.3375FE3B>