| View previous topic :: View next topic |
| Author |
Message |
nephila
Linux Freak
Joined: 28 Aug 2003
Posts: 384
Location: A cubicle
|
 Posted: Thu Apr 14, 2005 8:59 am Post subject: Interesting Denial Of Service Attack |
 |
|
I noticed that all email from one of our servers to addresses like hotmail and gmail were bouncing. First thimg I did was check that those servers were actually up and running, then I checked the mail server, everything seemed fine. Then I tried to ping those machines from the server and got network destination unreachable. I pinged the gateway and could get out so figured it had to be something with the DNS Server. Pinging the DNS server yielded the same result: destination unreachable.
I decided to check all network settings and finally found that the portscanner detected port scans from the DNS servers and blocked them. This is interesting, either somebody hacked the DNS servers and was running scans from them [possible but unlikely] or they were spoofing the DNS addresses [more likely], thereby getting the portscanner to block those addresses causing a loss of mail services!!
_________________
Real programmers use Linux! |
|
| Back to top |
|
 |
Bejorgen
TechTeamer
Joined: 21 Jul 2003
Posts: 865
Location: The Circle of Selection
|
| Posted: Thu Apr 14, 2005 9:35 am Post subject: |
|
|
There have been several reports lately of DNS poisoning. Perhaps it's linked to that?
_________________
Why is it that, as a culture, we are more comfortable seeing two men holding guns than holding hands? -- Ernest Gaines |
|
| Back to top |
|
|
jkroon
Site Admin
Joined: 28 Jul 2003
Posts: 3283
Location: root@localhost
|
| Posted: Thu Apr 14, 2005 11:17 am Post subject: |
|
|
Which just once more shows that blocking portscans is a bad thing to do. Whilst you are possibly prevent some script kiddie from figuring out what services you are running you are opening yourself to DoS attacks.
I'm of the opinion that I can effectively make portscans close to impossible _and_ maintain availability without going to these measures. Perhaps block incoming SYN or other INVALID packets (like SYN,ACK without an outgoing SYN) and unrelated UDP packets, but don't just drop everything. |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Thu Apr 14, 2005 3:10 pm Post subject: |
|
|
Yup, security through obscurity is just lazy and cowardly  . I say, let the world see what ports are open and what services are listening on them -- those services should be able to handle anything you throw at them.
That's why I don't run a firewall on my desktop machines, and don't ever expect to need one either. I trust all my public-facing services, and if an exploit is found I trust them to be fixed soon enough so I don't have to worry. So far so good.
Firewalling up a rotten core is just dumb. If you can't trust the network services themselves, then why trust anything in the OS?
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
jkroon
Site Admin
Joined: 28 Jul 2003
Posts: 3283
Location: root@localhost
|
| Posted: Thu Apr 14, 2005 4:51 pm Post subject: |
|
|
A firewall is just another layer though. It is usefull, so don't think we are saying firewalls should not be used. Just firewall an already secure system, that's all. Security is like an onion, it has many layers. A firewall can be one of these layers, but don't trust all your worth in it. Simply taking out ping is actually a good move since a lot of scanners performs a ping-scan before scanning individual hosts, not responding to the ping will in many cases make the scanner skip over your host.
My ruleset usually consists of about 5 or 6 rules, for those who care, read my iptables howto on http://www.kroon.co.za or http://nix.cs.up.ac.za - it's all there. If you are going to try to do more than what is there you are more likely going to do damage than good. That ruleset is _very_ restrictive, whilst at the same time being usable. A port scan against my machine takes about 72 minutes and tells you that a few services are running - so what?
Although - I really need to re-iterate this (as derick already mentioned): If you really need a personal firewall, you are already doing something wrong. |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Thu Apr 14, 2005 6:04 pm Post subject: |
|
|
| jkroon wrote: | | Although - I really need to re-iterate this (as derick already mentioned): If you really need a personal firewall, you are already doing something wrong. |
Yes, that's what I'm talking about. I agree that firewalls on servers are good and usually necessary, but personal firewalls are exactly the same kind of patch-up excuse that anti-virus apps are. Why did M$ include a personal firewall in XP SP2? To protect the rotten core. I'd venture to say that 99.9% of personal firewalls are used solely to keep out network threats like worms and spyware.
I once read an interview with Steve Ballmer where he explained that one of M$'s chief security strategies was "securing the perimeter" -- that is, placing firewalls and AV scanners on all the gateways. There was no mention of solving the underlying OS problems, the reasons all the worms and spyware exist in the first place. Symantec and McAfee and all the AV vendors are rich because of this approach. M$'s failure to address the fundamental weaknesses of Windows has created a billion dollar industry that should never need to exist in the first place.
What has become of the world when your OS needs to be babysitted by a firewall, and you have to unplug the network cable during installation to avoid being owned?
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
beam
Linux Freak
Joined: 13 Sep 2004
Posts: 343
|
| Posted: Thu Apr 14, 2005 7:44 pm Post subject: |
|
|
| Quote: | | unplug the network cable during installation to avoid being owned? |
What do you mean -
_________________
You are not a NINJA. |
|
| Back to top |
|
|
jkroon
Site Admin
Joined: 28 Jul 2003
Posts: 3283
Location: root@localhost
|
| Posted: Thu Apr 14, 2005 9:46 pm Post subject: |
|
|
Let's put it to you this way - before we managed to create a combined WinXP+SP2 installation CD we litterally had to unplug the network cable before installing. Why? Because the system got infected by some virus before you are even through the installation! I think my record is about something like 30 seconds after the network initialised for the first time! The longest - I actually rebooted once. With no network cable they usually survive at least untill most of the software is installed.
Why would you want network during install? Well, to get around some really fscked up installation stuff - like being forced to create a second administrator account unless you join the machine to a domain! Hmm, I'm just going to delete that user in 10 minutes, why force me to create it?
Beign owned? That simply means you are no longer the boss of your system. Some other program/person now has control over your system and how it functions. When someone hacked your box and now has control over it. When some virus took control of it and is now doing it's master's bidding on your machine.
How did we get this off topic? |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Fri Apr 15, 2005 7:55 am Post subject: |
|
|
In April last year, shortly after Sasser hit and IT had done some disaster recovery, I had to fix up some of the Windows machines at Physics that had been infected by Sasser while I was on leave. I used McAfee's Stinger to get rid of the worm and after rebooting I immediately installed the Windows hotfix. A week later, I realised that there was an insane amount of network activity coming from that lab. Some network sniffing revealed that two of the machines were connecting to random IPs -- Sasser. In the time between booting and being able to install the hotfix, those two machines had already been infected. And this was after most of the Sasser outbreak had (supposedly) been contained.
| jkroon wrote: | | How did we get this off topic? |
DoS -> portscans -> firewalls -> M$ bashing.
I guess it was where I started ranting about firewalls 
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
espeer
Hacker
Joined: 29 May 2003
Posts: 181
Location: /home/espeer
|
| Posted: Fri Apr 15, 2005 8:53 am Post subject: |
|
|
| derick wrote: | | Symantec and McAfee and all the AV vendors are rich because of this approach. M$'s failure to address the fundamental weaknesses of Windows has created a billion dollar industry that should never need to exist in the first place. |
Yet another industry that relies on the product being broken to survive. Have you ever stopped to think that maybe half the virus/worms out there are written by AV companies that want to sell more software? Hmm, business is a little slow this month... Let's create some more fear in the market place with a new variant, should be good for some more sales. If their AV software were 100% effective, they would litterally go out of business.
Then, on the firewall front. I believe security should always be multi-tiered (much like Jaco's onion), even on workstations. I run a fairly restrictive set of iptables rules on my workstation. Why? What if I inadvertently start a service that should not have been started? Well, the firewall will catch that mistake without any harm done. Also, some exploits may rely on multiple vectors. Eg, bug in mozilla/konqueror enables exploit to start a program listening on port xyz. In this case, the second phase of such an exploit is also thwarted.
Then of course, there's stuff like SELinux/GrSecurity/gcc ssp... Precisely because I don't trust the services on my machine.  All software is buggy, even up to date software, the trick is to minimise the damage that can be caused if something goes wrong.
So in sum, I agree with you Derick, to a point. You should not rely on a firewall to provide you with your security. But it costs nothing to run one and it could make all the difference when it matters. With security, the more the better. Again, up to a point, I wouldn't recommend SELinux in in fully enforcing mode (non-targeted policy) on a workstation - you would never get any work done.
| derick wrote: | | DoS -> portscans -> firewalls -> M$ bashing |
<Budweiser voice>True. True.</Budweiser voice>
_________________
-- http://www.peer.co.za/~espeer (Edwin Peer) |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Fri Apr 15, 2005 9:06 am Post subject: |
|
|
From M$'s "Top 10 Reasons to Deploy Windows XP Service Pack 2" page:
| Quote: | | You've probably heard the marketing message: 'Service Pack 2 for Windows XP delivers proactive protection against malicious code by blocking exploits at the point of entry as opposed to simply focusing on patching known vulnerabilities'. |
If you ever wanted a prime example of marketing speak, this is it. Why "simply" patch vulnerabilities when you can ignore them and rely on the CPU to protect you from badly written code? This "proactive protection" means recompiling binaries to make use of the NX bit on AMD64 and Itanium CPUs to help prevent buffer overflows. So here's the message again: lets work around the problem instead of fixing it.
Don't get me wrong, NX is great and everything should support it, but using that as an excuse for sloppy code is pathetic.
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Fri Apr 15, 2005 9:49 am Post subject: |
|
|
| espeer wrote: | I believe security should always be multi-tiered (much like Jaco's onion), even on workstations. ... Precisely because I don't trust the services on my machine. All software is buggy, even up to date software, the trick is to minimise the damage that can be caused if something goes wrong.
...
So in sum, I agree with you Derick, to a point. You should not rely on a firewall to provide you with your security. But it costs nothing to run one and it could make all the difference when it matters. |
Yeah, you're right, there's a good case for proactive (to abuse that word) security measures. However, I believe that it is not irresponsible to not run a firewall on a normal Linux desktop, the way that it is do to the same on a Windows box. For all the talk of Linux not being targetted by worms and spyware because it is not popular enough, we have seen nothing, despite the immense increase in popularity. Sure, given the complexity of software nowadays there are bound to be some vulnerabilities, but I am confident that these will be fixed quickly enough in the software I use so that I don't need to worry about being owned. (Using Gentoo helps too .) In essence, I perceive the risk of something going wrong to be low enough not to make any extra efforts to secure my system. I already know exactly which services are running and I keep them up to date.
Perhaps I am being naive and slightly reckless, but I like to live in defiance of the Windows security nightmare by proving it doesn't affect my Linux desktop. It's like, "I'll start using a firewall if I get hacked." So far so good. Until then, I like the "look Ma, no hands!"-feeling.
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
bertvl
Guru
Joined: 18 Feb 2005
Posts: 250
Location: global village
|
| Posted: Fri Apr 15, 2005 11:21 am Post subject: |
|
|
One nice thing  about windows' personal firewalls is that they associate an app with a connection, this is very useful to prevent apps doing stuff behind your back. e.g. I DLed Acrobat reader 7 for windows and linux, and installed on both. In windows, my Kerio popped up warning me that Areader was trying to "phone home" on port 80, in linux I see nothing since I allow outgoing connections to port 80...
Methinks iptables should be re-architectured to sit at a layer where it can access (if not already) which process a socket belongs to (for connections originating/terminating at your box anyway), much like netstat -p. OTOH, iptables is more or less just what it says (perhaps layer4tables would have been slightly more accurate)... Anyway, whatever/however, it would be nice if one could block IP/port access per process/application too. |
|
| Back to top |
|
|
jkroon
Site Admin
Joined: 28 Jul 2003
Posts: 3283
Location: root@localhost
|
| Posted: Fri Apr 15, 2005 11:46 am Post subject: |
|
|
| Ah but you can. Take a look at the owner module in iptables. Specifically the --cmd-owner . You can even restrict based on the actual user who the process is running as, so user jkroon + acroread7 may connect, but derick + acroread7 may not . |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Fri Apr 15, 2005 11:52 am Post subject: |
|
|
| bertvl wrote: | | One nice thing about windows' personal firewalls is that they associate an app with a connection, this is very useful to prevent apps doing stuff behind your back. |
Yep, a firewall comes in handy there (and it is nice that in this case it shows you which app is the perpetrator). This is a case I had not thought about, although it can be argued that it falls in the same category as spyware. Which is a major reason I don't trust closed source apps on Linux. It's very unlikely that the community would accept an open source app that phones home -- at the very least the ability would be configurable (like the DRM in KPDF). You can't hide spyware in an open source app for very long .
| bertvl wrote: | | Anyway, whatever/however, it would be nice if one could block IP/port access per process/application too. |
Heh, it's quite a coincidence, just yesterday I read an article on LWN that spoke about Acrobat Reader 7's "unexpected features", and someone offered the following solution:
| Code: | | iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP |
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
bertvl
Guru
Joined: 18 Feb 2005
Posts: 250
Location: global village
|
| Posted: Fri Apr 15, 2005 11:54 am Post subject: |
|
|
| Well, well, well... cool! I sortof assumed it couldn't be done 'cause I haven't seen any of the iptable wrapper gui things offer this feature before... thanks! |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Fri Apr 15, 2005 11:55 am Post subject: |
|
|
Concurrent post
| jkroon wrote: | | You can even restrict based on the actual user who the process is running as, so user jkroon + acroread7 may connect, but derick + acroread7 may not . |
Sweet. /me puts "become iptables guru" on his ToDo list.
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
bertvl
Guru
Joined: 18 Feb 2005
Posts: 250
Location: global village
|
| Posted: Fri Apr 15, 2005 12:05 pm Post subject: |
|
|
| Quote: | | although it can be argued that it falls in the same category as spyware. Which is a major reason I don't trust closed source apps on Linux. It's very unlikely that the community would accept an open source app that phones home -- at the very least the ability would be configurable (like the DRM in KPDF). |
Even so, many open source programs (like firefox/thunderbird for example) have the "phone home to check for upgrades" on automatically, and if you don't know they're doing it, you probably will only discover the "feature" later.
What would be nice is a wrapper gui iptables thing that doesn't just look at the logfiles (as they seem to do), but can also "quarantine" a packet/flow not matching a rule until you allow/disallow it (as well as discard subsequent tcp retransmits etc because you've taken too long to click OK). Maybe this exists already for linux/X, but I haven't seen it. The app would probably sort of need to register a callback with iptables somehow to achieve this I guess, so sort of breaks the "X is separate from linux" model. |
|
| Back to top |
|
|
derick
Hacker
Joined: 30 May 2003
Posts: 2344
Location: /*
|
| Posted: Mon Apr 18, 2005 8:58 am Post subject: |
|
|
| bertvl wrote: | | Even so, many open source programs (like firefox/thunderbird for example) have the "phone home to check for upgrades" on automatically, and if you don't know they're doing it, you probably will only discover the "feature" later. |
Mmm, yes... I think both the Mozilla suite and OO also have (optional) QA feedback tools that can report crashes. And almost every Windows app nowadays enable "check for updates" by default. However, that's a bit different from Adobe's phoning home, which is a DRM mechanism for tracking document views.
It's just that I have more trust in the open source apps to respect my privacy, both because the community is generally more paranoid about such matters and because the source can be scrutinised for "unwanted features".
_________________
All men die. Not all men truly live. -- William Wallace |
|
| Back to top |
|
|
ByronMolloy
Uninitiated
Joined: 31 Mar 2009
Posts: 1
|
| Posted: Tue Mar 31, 2009 2:57 pm Post subject: |
|
|
| Really you need a good ddos protection provider that is ready to do upstream filtering to stop a DDoS in case you have one. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
