Hello All! What would be the advantage or disadvantage of this idea: Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping. A kind of mirror effect would mybe keep an attacker busy till you check your logs ;D Just an Idea. Spiekey
I don't know: hitting back has always some drawbacks ... you motivate the
attacker to try harder ... and what if it is not an attacker but a user
trying to access a service at wrong place? or the attacker uses other
compromised systems to carry out the attack? I think you can easily get into
a legal nightmare.
Best regards ...
Reto Inversini
----- Original Message -----
From: "spiekey"
Hello All! What would be the advantage or disadvantage of this idea:
Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping.
A kind of mirror effect would mybe keep an attacker busy till you check your logs ;D
Just an Idea.
Spiekey
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, this seems to be an evergreen (or even a zombie). Every second month we fill up this list with discussions like "How can I strike back" etc. The last one I remember was the thread "Is it possible to return something, so Nimda would crash?". from 09/21/01. I think everything about that was discussed before and we should concentrate on this list on security problems, not on strike back szenarios. If you think, you're smarter then a real hacker, and if you think you can deal with the problems you're running in when your returned packages bring down a (hacked) server of a big company with lots of lawyers - go and try. Sorry, but I don't like to see this discussion again and again and again... Cheers, Ralf spiekey schrieb am 23.11.2001 um 16:55:36 zum Thema "[suse-security] Excotic Firewall Police":
Hello All! What would be the advantage or disadvantage of this idea:
Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping.
A kind of mirror effect would mybe keep an attacker busy till you check your logs ;D
Just an Idea.
Spiekey
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- Drücken Sie auf Abbrechen zum Fortfahren
Il 16:55, venerdì 23 novembre 2001, spiekey ha scritto:
Hello All! What would be the advantage or disadvantage of this idea:
Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping.
A kind of mirror effect would mybe keep an attacker busy till you check your logs ;D
What if he has got more bandwidth than you? Praise
On Fri, Nov 23, 2001 at 05:09:50PM +0100, Praise wrote:
Il 16:55, venerdì 23 novembre 2001, spiekey ha scritto:
Hello All! What would be the advantage or disadvantage of this idea:
Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping.
A kind of mirror effect would mybe keep an attacker busy till you check your logs ;D
What if he has got more bandwidth than you?
How about something like LaBrea, instead of directly 'hitting back'? http://www.hackbusters.net/LaBrea/ -j
Yup, On 23-Nov-01 jon wrote:
On Fri, Nov 23, 2001 at 05:09:50PM +0100, Praise wrote:
Il 16:55, venerd� 23 novembre 2001, spiekey ha scritto:
Hello All! What would be the advantage or disadvantage of this idea:
Why not forward the packets, which will be dropped usually, and forward it to the source address? Forward execpt of dropping. [...] What if he has got more bandwidth than you?
How about something like LaBrea, instead of directly 'hitting back'?
http://www.hackbusters.net/LaBrea/
-j
Basically, LaBrea is a white hat implementation of ARP spoofing, with some
interesting enhanced features.
But it's NOT RECOMMENDED to use LaBrea if you are not fully aware of the
problems around (D)DoS attacks, Syn floods, Smurf attacks, and bandwith
calculation. Out of the box, LaBrea fills up a 256K uplink very quickly if
triggered by a relatively broad network scan, thus even legit traffic is locked
out.
Oh, and I think Ralf Koch is quite right. Although it often helps to broaden
your understanding of anti-cracker skills by setting up honeypots or
active/passive retaliation systems (if your time allows), such techniques are of
minor use in reality, and may cause problems if configured incorrectly.
Don't attack the attacker. Don't descent to their level.
Boris Lorenz
Hi, On 26 Nov 2001, at 13:40, Boris Lorenz wrote:
Oh, and I think Ralf Koch is quite right. Although it often helps to broaden your understanding of anti-cracker skills by setting up honeypots or active/passive retaliation systems (if your time allows), such techniques are of minor use in reality, and may cause problems if configured incorrectly.
Don't attack the attacker. Don't descent to their level.
I still get CodeRed/Nimda scans from about 10 different IP addresses a day. How about sending complaints along with the excerpts of the logfiles to the police and prosecuting authorities? At least in europe, if nothing else, if enough people did that, it would show them how much work the cybercrime act would mean for them! Not that I think it would change much. mike
Hi Mike, why sending this to police etc. (btw: german police doesn't really care about this). Think of what may happen: Authorities care about your mail and begin to track down the possible attacker, who - in most cases of Code<insert color/> and Nimbda - don't know anything of running a system scanning other servers. There's only a minimum chance to track down a real attacker, but a maximum to hurt a security newbie etc. I've seen private web surfers running Win2k advanced server on their desktop computer, connected via dialup to the internet. In standard installation both, the IIS and the indexing server is running afaik. They neither know what an IIS is, nor care about an indexing server. If you feel you should do something, try to contact the sysadmin and give him a hint what he (his computer) is doing and that security is something, everybody should think of if connected to the internet. I agree to your last statement: That won't change much. But if one out of ten starts to think different of what he's doing and what he's "providing" for possible attackers, I think that's woth it! Cheers, Ralf
Hi,
On 26 Nov 2001, at 13:40, Boris Lorenz wrote:
Oh, and I think Ralf Koch is quite right. Although it often helps to broaden your understanding of anti-cracker skills by setting up honeypots or active/passive retaliation systems (if your time allows), such techniques are of minor use in reality, and may cause problems if configured incorrectly.
Don't attack the attacker. Don't descent to their level.
I still get CodeRed/Nimda scans from about 10 different IP addresses a day. How about sending complaints along with the excerpts of the logfiles to the police and prosecuting authorities? At least in europe, if nothing else, if enough people did that, it would show them how much work the cybercrime act would mean for them! Not that I think it would change much.
mike
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Ralf, first it is not so easy to get the e-mail address of a dialup or even ADSL/cable user (at best I can contact his provider), it takes a lot of work for a technican while a complaint can be done by one of the secretaries. While it is correct, that currently the police will not care, the anti-hacking proposal of the EU Commission implies that "illegal access will be considered a serious attack against informationsystems even if the access was unintentional", so - if the current timeline (implemention into local lawsystem of EU member nations until 2003) is correct - the CodeRed/Nimda "victims" are faced with a minimum highest prison sentence of 4 years (see "http://cryptome.org/eu- antihack.htm"). The cybercrime act includes a cooperation agreement of all participating countires, including the US. So even if they do not care today, they will have to care in 2003, and we can show them how much work that means. mike
Sorry, Mike, but that's way over my head. I'm not very firm in laws, regulations etc. As most people (hopefully), I'm pro for getting real hackers into prison etc, bladibla. But I can't believe that there will be a law - whenever - to "face i.e. CodeRed/Nimda victims with prison sentences". Try to realize what this means: If you're not fast enough to close a security gap, you might get imprisoned because a hacker uses your system to attack other systems. That's "kill the courier for the message he carries". Are you sure, your system is absolutely secure and nobody will ever use it - w/o your knowledge of course - to attack others? If not, you should immediately disconnect it from the web to not become prosecuted..... Please differentiate hackers from men in the middle! Cheers, Ralf
Hi Ralf,
first it is not so easy to get the e-mail address of a dialup or even ADSL/cable user (at best I can contact his provider), it takes a lot of work for a technican while a complaint can be done by one of the secretaries.
While it is correct, that currently the police will not care, the anti-hacking proposal of the EU Commission implies that "illegal access will be considered a serious attack against informationsystems even if the access was unintentional", so - if the current timeline (implemention into local lawsystem of EU member nations until 2003) is correct - the CodeRed/Nimda "victims" are faced with a minimum highest prison sentence of 4 years (see "http://cryptome.org/eu- antihack.htm"). The cybercrime act includes a cooperation agreement of all participating countires, including the US.
So even if they do not care today, they will have to care in 2003, and we can show them how much work that means.
mike
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, On 26 Nov 2001, at 14:30, Ralf Koch wrote:
Please differentiate hackers from men in the middle!
I do. IIRC the proposal even indicates that URL manipulations may be illegal (that is if one manually changes an URL to get to information where no link is provided in the HTML code - like changing "ftp://ftp.suse.com/pub/..../n2/ncpfs.rpm" to lets say ".../ncpfs- devel.rpm" - to get somewhere that was not wanted by the siteowner) and no need for any security measurement on the side of the system owner is needed! But please read the proposal and make up your own mind, this to me is no longer security related to my understanding of what this list was made for. HTH mike
Hi, On 26-Nov-01 Thomas Michael Wanka wrote:
Hi,
On 26 Nov 2001, at 13:40, Boris Lorenz wrote:
Oh, and I think Ralf Koch is quite right. Although it often helps to broaden your understanding of anti-cracker skills by setting up honeypots or active/passive retaliation systems (if your time allows), such techniques are of minor use in reality, and may cause problems if configured incorrectly.
Don't attack the attacker. Don't descent to their level.
I still get CodeRed/Nimda scans from about 10 different IP addresses a day. How about sending complaints along with the excerpts of the logfiles to the police and prosecuting authorities? At least in europe, if nothing else, if enough people did that, it would show them how much work the cybercrime act would mean for them! Not that I think it would change much.
The tools section of securityfocus.com contains a small utility called "codeblue" to scan your Apache logs for CodeRed I+II/Nimda attacks, and send mails to the admins of the (probably infected) hosts. This may not be the end-all and be-all of solutions, but it's a start. It's no good idea to transfer the logs to certain authorities without at least a quick preliminary information to the admin(s) of the responsible hosts. While there's a remote possibility to catch a downright evil attacker, chances are good to cause unwanted legal trouble by stirring up federal action against possibly innocent ppl.
mike
PS.: IMO, the EU cybercrime treaty simply is a joke, made up by lawyers, CEOs and heads of the software industries' big cheeses to install and maintain patterns of sueability. While this may help to give flocks of unemplyoed solicitors a job, it's of little to no use for the security community as a whole. Just my $0.02 (that's roughly 0.02278 Euros ;) )
participants (7)
-
Boris Lorenz -
jon -
Praise -
Ralf Koch -
Reto Inversini -
spiekey -
Thomas Michael Wanka