Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Lyndon Nerenberg wrote:
I usually avoid blackhole subscription lists like this. They let the attacker take out your legitimate peers by spoofing the source.
If they can take out your legitimate peers by spoofing end to end TCP connections, then you have got some really enormous problems that need to be addressed. I don't think spoofing will be a problem for the landmines. Most attacks (99%?) are tcp. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Hi, Dan. ] I don't think spoofing will be a problem for the landmines. Most attacks ] (99%?) are tcp. Hmm... Not based on my research. The most common attack capabilities in the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most of the DoS tools contain the same attack types as the bots. On the receiving end, upwards of 80% of all the woe I track is not TCP. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
On Wed, 15 May 2002, Rob Thomas wrote:
] I don't think spoofing will be a problem for the landmines. Most attacks ] (99%?) are tcp. Hmm... Not based on my research. The most common attack capabilities in the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most of the DoS tools contain the same attack types as the bots. On the receiving end, upwards of 80% of all the woe I track is not TCP.
You miss the point of this: We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 15 May 2002, Dan Hollis wrote:
On Wed, 15 May 2002, Rob Thomas wrote:
] I don't think spoofing will be a problem for the landmines. Most attacks ] (99%?) are tcp. Hmm... Not based on my research. The most common attack capabilities in the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most of the DoS tools contain the same attack types as the bots. On the receiving end, upwards of 80% of all the woe I track is not TCP.
You miss the point of this:
We are not landmining for DOSing.
We are landmining to make it very dangerous for attackers to scan networks and probe hosts.
-Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. PJ -- He thought of Musashi, the Sword Saint, standing in his garden more than three hundred years ago. "What is the 'Body of a rock'?" he was asked. In answer, Musashi summoned a pupil of his and bid him kill himself by slashing his abdomen with a knife. Just as the pupil was about to comply, the Master stayed his hand, saying, "That is the 'Body of a rock'." -- Eric Van Lustbader
On Wed, 15 May 2002, PJ wrote:
We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. Are you now operating under the premise that scans != anything but the
On Wed, 15 May 2002, Dan Hollis wrote: prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
It would take more than a single landmine hit to get blackholed. Like, duh. Enough hits on a wide sensor net prove bad intentions, as proven by dshield. I'm suprised at the extremely shallow level of arguments so far against landmines. Well, I guess I shouldnt be suprised -- this *IS* nanog, after all... :P -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 15 May 2002, Dan Hollis wrote:
On Wed, 15 May 2002, PJ wrote:
We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. Are you now operating under the premise that scans != anything but the
On Wed, 15 May 2002, Dan Hollis wrote: prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
It would take more than a single landmine hit to get blackholed. Like, duh.
Forgive me for daring to ask a question. How many imply bad intent in general practice? 4? 5? 10? Any time limitations? I am sure they are, but I am just curious. Would the paranoid timing setting in nmap trigger it?
Enough hits on a wide sensor net prove bad intentions, as proven by dshield.
"Prove?" What exactly is enough hits? Is it dependant on the size of the network? Again, what about the timing factor? All that will happen is anyone with hostile intent will start breaking up networks into smaller chunks to be scanned from different hosts. I don't see it solving the so-called problem of scanning.
I'm suprised at the extremely shallow level of arguments so far against landmines.
I am surpised at the extremely shallow level of thinking that seeks to shift the burden of security maintenace off of the shoulders of those who should be responsible. Would you block just a host or a network? What about dynamic ips? It doesn't take much bandwidth to probe. Blackhole enough of the net and you effectively serve the purpose of DOSing yourself. PJ -- A diplomat is man who always remembers a woman's birthday but never her age. -- Robert Frost
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote:
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
crime, or art? ;-) http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html -d. --- http://www.monkey.org/~dugsong/
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote:
Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote:
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
Feel free to go portscan some US military and federal interest networks, then. If it's not a crime, you shouldnt have any problems scanning them. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 15 May 2002, Johannes B. Ullrich wrote:
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
I agree. Scanning is no crime. But blocking isn't a crime either.
Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc. PJ -- Art is a lie which makes us realize the truth. -- Picasso
What about timing? What about breaking up segements of the network to be scanned by different hosts?
Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list.
How many hits on the linemines constitute blocking? Are you blocking hosts or networks?
up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...)
Either way, what about dynamic ips?
blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution.
What about scans done from different networks other than that which the supposed attacker is originating from.
Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again.
Its Universitys, unsecured wireless lans, etc.
same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.
On 15 May 2002, Johannes B. Ullrich wrote:
What about scans done from different networks other than that which the supposed attacker is originating from. Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again.
Yes. Part of such blackholing would be hoped to have a "behaviour modification" effect the same way that RBL does. Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do anything about shutting down compromised boxes/script kiddies. Blackholing them from the net would provide motivation. And some protection against those attackers. When management can no longer download their pr0n you can damn well bet they will "want it fixed NOW" and will give whatever authorization required to do it. Well, you get the point. :P It's not intended to be perfect. It's intended to make life more difficult for attackers, and to reduce impact of attacks at least a little bit. And motivate lazy networks to fix their broken shit. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, May 15, 2002 at 06:19:00PM -0700, briareos@otherlands.net said: [snip]
On Wed, 15 May 2002, Johannes B. Ullrich wrote: [briareos@otherlands.net]
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
I agree. Scanning is no crime. But blocking isn't a crime either.
Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc.
So because we can't implement a perfect solution, let's do nothing at all about the problem?
PJ
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Thu, 16 May 2002, Scott Francis wrote:
So because we can't implement a perfect solution, let's do nothing at all about the problem?
That does sound like the general opposition to landmines, yes. It is notable that the SMTP RBLs were often attacked with exactly the same argument. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Wed, 15 May 2002, Dan Hollis wrote:
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote:
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
Feel free to go portscan some US military and federal interest networks, then. If it's not a crime, you shouldnt have any problems scanning them.
If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Of course, in the present political climate, that's probably not the case, but it doesn't make it right. However, there is legal precident that port scanning is not illegal. There are always going to be people who are going to probe and poke, as long as there is no direct harm, who cares? Sorry, the days of people sitting in nice straight lines, only doing what you want them to do and only going where you want them to go are not yet upon us. http://online.securityfocus.com/news/126 PJ -- Aaron Gaudio "The fool finds ignorance all around him. The wise man finds ignorance within."
On Wed, 15 May 2002, PJ wrote:
If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear.
Do let us know how your portscans of US military networks goes...
There are always going to be people who are going to probe and poke
Are you one of them? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Date: Wed, 15 May 2002 20:04:42 -0700 (PDT) From: Dan Hollis <goemon@anime.net> Sender: owner-nanog@merit.edu
On Wed, 15 May 2002, PJ wrote:
If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear.
Do let us know how your portscans of US military networks goes...
There are always going to be people who are going to probe and poke
Are you one of them?
IANAL, but I do know that last year a federal court in the First US District (Washington D.C. and surrounding area, as I recall) ruled that scanning was NOT illegal. It is a court of record and, until reversed by a higher court, stands a a precedent in that district (but not others). As far as I know, there has been no higher court ruling. That said, I guess if you are scanning a system in that district, you have no problems. But you may have problems if the system(s) scanned are elsewhere, though there is no specific law on the subject. The action reviewed by the court was under federal anti-hacking laws which might be construed as covering port scanning. The court held that they did not. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
----- Original Message ----- From: "Dan Hollis" <goemon@anime.net>
On Wed, 15 May 2002, PJ wrote:
If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear.
Do let us know how your portscans of US military networks goes...
We get email regularly in our ARIN contact email box about port scans. Most of it is like the one below about a SubSeven scan. AFAIK we have never been officially ordered to cease and desist. In some instances we have been subpoenaed for our records relating to criminal activity, but at this juncture scanning is not illegal. Do we care? Yes. Do we try to stop it? Yes. Do we cancel customer accounts for such activity? Yes. Can we be held responsible for all activity originating from our IP space, probably, but it's a hell of a job tracking down all the abuse complaints from our AS. --mval ******************* This email is for your information. It is *not* a request for any specific action. It was automatically generated, but all replies will be handled personally. A host/port sweep 20020419 Port 27374 Sweep of subnet(s): 128.49.6 From <snip> Starttime Fri Apr 19 17:57:20; Endtime Fri Apr 19 17:58:08; Port 27374: attempts on about 238 addresses. was logged at this United States Department of Defense facility, apparently originating from one of your machines. The time zone is PDT (Greenwich -7 hours). Suggested interpretations: 1. One of your machines has been compromised/infected and is scanning our networks. 2. One of your users is scanning our networks. 3. (Uncommon) The source address is spoofed and another machine (probably on the same network as the source address) is doing the scanning. Thank you for your attention. --Intrusion Detection Team idt@spawar.navy.mil SPAWARSYSCEN San Diego *********************
On Wed, May 15, 2002 at 06:14:37PM -0700, briareos@otherlands.net said: [snip]
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote:
Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
Feel free to go portscan some US military and federal interest networks, then. If it's not a crime, you shouldnt have any problems scanning them.
If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Of course, in the present political climate, that's probably not the case, but it doesn't make it right. However, there is legal precident that port scanning is not illegal. There are
Just because something is not technically illegal (yet) doesn't make it justifiable, either.
always going to be people who are going to probe and poke, as long as there is no direct harm, who cares? Sorry, the days of people sitting
There will always be people who probe physical security of banks and other institutions, too. Such folk usually find themselves explaining their actions to the nice officers in short order. Just because something happens doesn't mean it should be condoned, or accepted as unavoidable.
in nice straight lines, only doing what you want them to do and only going where you want them to go are not yet upon us.
Agreed (I doubt that day will ever come).
There is a difference between what's legally acceptable and what's ethical or even prudent.
PJ
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Thu, May 16, 2002 at 09:35:51AM -0700, darkuncle@darkuncle.net said: [snip]
There is a difference between what's legally acceptable and what's ethical or even prudent.
One thing that I may not have made clear: I am not saying port scanning is necessarily unethical or foolish at all times, or that it has no place in the network operator's toolkit. It obviously does. However, scans tend to be a very reliable precursor to malicious activity. Perhaps a graduated landmine response that first mails the technical contact for the netblock in question after a certain threshold has been crossed, and then a blackhole after the next threshold is crossed (assuming no response from the contact attempt). -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
participants (9)
-
Clayton Fiske
-
Dan Hollis
-
Dug Song
-
Johannes B. Ullrich
-
Kevin Oberman
-
mval
-
PJ
-
Rob Thomas
-
Scott Francis