Re: Arbor Networks DoS defense product
On Thu, 16 May 2002, Dragos Ruiu wrote:
Some people are get all hyper and complain. Which is silly imho. If you don't like it, stop your network from responding to it.
Thats exactly what we plan to do with BGP blackholes and landmines.
Don't bitch and whine if your equipment is silly and leaks info. It's not the world's problem to compensate for _your_ inferior network architecture or shoddily designed network hardware.
Then you shouldnt be whining about a BGP blackhole system.
Portscanning by no means proves "intent". Or should provoke hostile reaction.
Blackholing isnt hostile its defensive.
But then again I'm of the radical opinion that if your host is compromised it is your fault for not taking appropriate precautions on inbound filters or gateways.
The blackholing is the response to networks which cant be bothered to clean up their compromised hosts. Youre ranting against the wrong target im afraid. Please go back and read the thread from the beginning.
I can't help it if your host does funny things when I send them funny packets.... :-)
Why are you sending funny packets? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said:
On Thu, 16 May 2002, Dragos Ruiu wrote:
I can't help it if your host does funny things when I send them funny packets.... :-)
Why are you sending funny packets?
Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered "funny packets". http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Fri, 17 May 2002 Valdis.Kletnieks@vt.edu wrote:
On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said:
On Thu, 16 May 2002, Dragos Ruiu wrote:
I can't help it if your host does funny things when I send them funny packets.... :-) Why are you sending funny packets? Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered "funny packets". http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt
I know ECN etc have been used to evade firewalls but afaik have not been known in and of themselves to compromise or crash hosts or make them do any "funny things" besides dropping the packets outright. If you have information to the contrary please let me know. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered "funny packets".
I know ECN etc have been used to evade firewalls but afaik have not been known in and of themselves to compromise or crash hosts or make them do any "funny things" besides dropping the packets outright.
If you have information to the contrary please let me know.
The ECN bits have been used in the past to do OS finger printing. Not a big issue IMHO, but some people don't like it. -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
On Thu, May 16, 2002 at 02:44:58PM -0700, Dan Hollis <DH> said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu <DR>: <DR> Some people are get all hyper and complain. Which is silly imho. <DR> If you don't like it, stop your network from responding to it. <DH> Thats exactly what we plan to do with BGP blackholes and landmines. <DR> Don't bitch and whine if your equipment is silly and leaks info. It's <DR> not the world's problem to compensate for _your_ inferior network <DR> architecture or shoddily designed network hardware. <DH> Then you shouldnt be whining about a BGP blackhole system. <DR> Portscanning by no means proves "intent". Or should provoke hostile <DR> reaction. WRONG. Time to retake Logic 101 and Ethics 101. What other intent than malice (or, at best, "unhealthy interest in somebody else's network") could portscanning someone else's network show? If you don't own it, and aren't involved in an official capacity, chances are high that you should Just Stay Off. This includes portscans. To do otherwise shows you are probing for points of attack/entry - I don't see how you can argue otherwise. If I am missing the obvious altruistic motive for portscanning, please enlighten me. A portscan is a sign that somebody is probing your defenses, trying to find out where they might get in. Why should this NOT get a hostile (or at least defensive) reaction? Looking for any legitimate reason here. <DH> Blackholing isnt hostile its defensive. <DR> But then again I'm of the radical opinion that if your host is compromised <DR> it is your fault for not taking appropriate precautions on inbound <DR> filters or gateways. Obviously, the person that actually did the typing to crack a machine is not responsible for his/her keystrokes. The person that scanned the network to find weaknesses is surely not culpable for gathering and using such information. Just like if a bank has 100-year-old security and leave the vault door open, the person that walks in and picks up a bag of money is not responsible for stealing - it's the bank's fault for not providing adequate security. Yes, network operators have a responsibility to their shareholders, if nobody else, to secure their networks. But that IN NO WAY takes the responsibility for illegal action off the shoulders of the person that committed it. <DH> The blackholing is the response to networks which cant be bothered to <DH> clean up their compromised hosts. Youre ranting against the wrong target <DH> im afraid. Please go back and read the thread from the beginning. <DR> I can't help it if your host does funny things when I send them funny <DR> packets.... :-) <DH> Why are you sending funny packets? Exactly. If you want to send funny packets, send them to your OWN network, or get a job as a security consultant and do this kind of thing for money. Don't try to rationalize illegal behaviour by shifting blame to somebody else. (Note: again, not saying portscanning is illegal. Other activity (break-ins, etc.) has been discussed in this message.) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
participants (4)
-
Dan Hollis
-
Johannes Ullrich
-
Scott Francis
-
Valdis.Kletnieks@vt.edu