Date: Mon, 23 Apr 2001 18:05:47 -0400 (EDT) From: Michael S Scheidell <scheidell@Cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts (& active ids) Message-ID: <200104232205.f3NM5l256247@caerulus.cerintha.com> In-Reply-To: <20010423231908.N574-100000@axis.tdd.lt> References: <200104232113.f3NLDdL54572@caerulus.cerintha.com> <20010423231908.N574-100000@axis.tdd.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
In local.freebsd.security, you wrote: > >it is really easy to spoof connection source IP for your IPFW logs. >are you sure you wish to alert the ISP? Yes. > >Several days ago I gave a lesson to guys, running portsentry and similiar >stuff with active blocking enabled. They did not believe they had any >security breach, but after their own systems blocked all TLD servers, they >removed portsentry immediately. It would be really annoying for various yes, you can use 'things' (like stick) and nmap to spoof p addresses, but then tyou won't gather any information the things we are seeing, 4/5, 10, 20 per day are linux 'worms' (mostly compromized redhat,... arn't you glad you chose freebsd?) These compromized systems are NOT spoofing (they are compromized, and are gathering more 'children'. If they spoof tcpip connections, they cannot send in their exploit code, cann't find out of there are open or closed ports, cannot propagate, so: In these cases, yes To double check, since this is a central collection of intrusions, logs of other systems, mostly dsl and home cable modem users are compared for consistancy. guess what: ipaddress w.x.y.z apears on several different logs, a quick look at w.x.y.z shows redhat 6.2 running with open ports 21,53,98,111 and 515. Was it an ip spoof? hardly. isp contacted, logs sent, client thanks us that we alerte dhim, as he had no clue. >One of best practices is to build honeypots - early warning systems with >great publicity and observed security. And software, with changed banners >into older ones :) These arn't honeypots, but with several (70+ active agents) recording the same port scans form the same ip addresses, either: A) someone is spoofing (not decoy, just spoofing) certain ip addresses who just hapen to have lion or adore root kit installed on them) or B) they are spoofing just for fun, scanning multiple a blocks ranging from 24.0.0.0/8 @home cable modems to 63.0.0.0 dsl lines to 216, 207, etc. so, in these cases, what is more likely? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104232205.f3NM5l256247>