Slashdot Mirror

Yeah, and ipfwadmin, ipchains or ip/iproute2 that comes with any Linux installation plus the free download of for example snort to turn it into a real firewall.

I really don't think so. Not for next many years. At least not effectively! Sure it will probably work for some attacks, script-kiddies and all that, but an automated system would, as I see it, be easy to fool...

Let's imagine that you DoS attack a server, you write a little program that automates the attack, spoofing IP addresses of a particular ISP that you don't like, covering an entire C-class, or B-class or whatever. Maybe alternate the attack types.
Very soon the automated intrusion prevention system will have blocked all the IP addresses of the ISP. Bing.

It would be interesting to see though, also in regards to honeypot networks (nets designed to be hacked/cracked/attacked).

I believe that there is a tool that you use with snort (an IDS), to make an automated system, block IPs etc.

Anyway, my point was that for many years to come, we wont be able to live without the experienced system administrator, going through logs!

Its a dangerous attitude in some respects, but in others its not. Its dangerous because it makes folks think hacking is harmless (till their credit report gets ripped off, etc) But heck most people survive just fine if the power goes out for a bit, why not the Internet?

I'm not agreeing with them, I just see that in responses from folks I talk with that aren't /. readers. The scary part is, DDos attacks ARE the tip of the iceberg. Its kinda like a doofus with a gun. Someone fires one in the air, everyone runs for cover, life stops for a sec, and then folks go about their business, not caring if the bullet came down and killed some poor sap. It just leaves folks unprepared for the real deal like when hackers manage to cull sensitive info on many of the top public officials (or their comuter systems) and hold the government hostage. They'll be totally unprepared.

The best we can do is a) spread the word to our less technically inclined friends that it IS a big deal, b) hacking is different from cracking, and c) contribute to hack prevention/detection systems like Snort (Not necessarily in that order!

Snort can do this now.

I don't know that you could filter the stuff, but you could at least log it using Snort Win-32.

would be SNORT

www.snort.org

Sniffers Rule

1) The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.

2) The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort).

3) The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?

Beyond that, this is a standard SYN packet, hardly revolutionary.

The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!

The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.

These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.

Let's look at the other claims:

"While you wait, real-time operation"
Explanation: When you execute the program, it runs and reports back to you.

"Continuous host-presence verification"
Explanation: When you run the scan, it pings the target to make sure it's up. Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.

"Comprehensive host IP address determination"
Explanation: Resolves DNS names, can make other DNS queries.

"Host stealth technology detection, penetration, and appraisal"
Explanation: If the host is discovered, it will be scanned! If the host can be reached through the firewall, it'll also be scanned. If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.

"True firewall, versus simple packet filter, discrimination"
Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.

"Special "Half-Open" TCP connection "SYN" probing"
Explanation: This was special about four years ago, but now it's just called a SYN scan. This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is different from a free port scanner like nmap in exactly 0 ways.

"Advanced TCP non-connection "ACK" probing"
Explanation: They can do ACK scans as well. This is completely revoloutionary unless you've used almost any other free scanner in the past four years.

"Fragmented and reordered packet filtering vulnerability assessment
Explanation: nmap + fragrouter = this capability, plus more!

"UDP/ICMP reflection response probing"
Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back. If it's not available, you'll get an ICMP UNREACHABLE. My god, the amazing powers of this software aren't to be believed!!

"Differential source IP analysis"
Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls. Amazing!

"Personal Router vulnerability assessment"
Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!

"Last-Hop Router vulnerability assessment"
Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.

"Active protocol testing"
Explanation: Application layer testing, such as trying to brute force passwords on SMB shares. This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...

"Packet round trip time (RTT) profiling"
Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host. Righteous.

"Absolutely spoof proof"
Explanation: "We can't be spoofed because we make our own packets!" What about man in the middle attacks guys? Are you talking IPv6 or over an encrypted tunnel? No? Oops, you can be spoofed.

Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.

Symantec & Lotus: They already sold out, or have been crushed by Microsoft. Much more worrisome.

The following Symantec products serve to correct or work around design flaws of Windows/DOS or MacOS:

• Norton AntiVirus -- While viruses running under Linux have been created as experiments, the Linux platform does not suffer from the promiscuous vulnerability to machine-code viruses of unprotected platforms. Nor do Linux's popular applications suffer from unprotected scripting systems vulnerable to viruses.
• Norton CleanSweep -- Almost all Linux-based OSes use package-management systems such as dpkg and rpm, which permit the clean uninstallation of programs.
• Norton Speed Disk -- ext2fs, the current standard filesystem for Linux, does not suffer from the severe fragmentation problems of FAT, nor from the somewhat lesser but noticeable ones of FAT's successors and MacOS's HFS.

The following Symantec products serve purposes already filled by existing free software:

• Mail Gear -- The foremost mail daemons for Linux (such as sendmail, postfix, and qmail) already support the filtration of mail. Users can use procmail recipes or other tools to accomplish the task at their level.
• Norton Ghost -- Virtually every Linux-based OS ships with backup/recovery and disk-imaging tools such as dump, tar, and dd. There are even X-based versions such as guiTAR available.
• Norton Internet Security (firewall portion) -- Firewall capability is built into the Linux kernel. Several popular free packages exist to do rule-based intrusion detection, such as snort.
• Norton Utilities -- Though ext2fs is more robust than FAT or HFS, it can suffer from disk hosement in certain situations (such as loss of power); in these cases, Linux already has fsck. (Norton Utilities also contains tools that belong in the previous category, such as software to prevent program crashes from bringing down the whole OS.)
• pcAnywhere -- Linux has ssh and X for secure remote login and display.
• Procomm Plus -- The last thing Linux needs is another terminal emulator.
• Retriever -- Port-scanning software is hardly anything new to Unix; for network security mapping try SATAN or one of its derivatives such as SAINT.
• WinFax PRO -- The Hylafax system supports the sending and receiving of faxes under Linux (and other Unices) as well as network-based faxing.

The following Symantec products serve political purposes not in tune with many or most Linux users; specifically, they are parental or office censorware:

• I-Gear
• Norton Internet Security (censorware portion)

The following Symantec products are potentially useful under a Linux-based OS:

• Expert -- From the blurb, this sounds like an attempt at implementing Bruce Schneier's model of analyzing security as a business risk. (I am not convinced that Schneier is right, nor do I claim that Symantec Expert is a good implementation of his ideas ... but that's another story.)
• Mobile Essentials -- While one could well keep several versions of /etc in tarballs and untar the right one for each location, I imagine laptop users would like a clean way to switch from one set of settings to another.
• TalkWorks PRO -- The last time I looked into the matter, there didn't seem to be any reasonably advanced voice-mail or answering-machine packages for Linux.

(Mobile WinFax is not counted as it runs on the PalmOS, not a conventional OS. Norton SystemWorks is not counted because it is a bundle of several packages listed above.)

In short, it is not to be taken as a surprise that Symantec, and other "utility software" companies, see themselves as not having anything to offer the Linux community -- they don't.

I remember this. It was ADMROCKS though, not AMDROCKS. I got hit by this. I had so many friggin ipchains rules on my nameserver that they couldn't do a damn thing with it. They appended telnet onto the end of inetd.conf and added a couple of user accounts. But never added an ipchains rule to allow all, so they couldn't telnet in to do anything.

I sat and watched them play around with it for about 2 hours before I blocked their IP, upgraded bind, and chrooted it. Gotta love snort.

Of course, if the secure data is in something like a standard Word(tm) document, you can't tag it with a phrase without forcing all documents to have a keyword, etc., in them that you know to look for, and even then newer editions use compression, which might obscure your mark.

Once again, I'm not an expert on this, and I may be 100% incorrect, so tread lightly.

The open source ethereal network analyser Ethereal at zing.org has a large number of protocols defined.

Another good analysis package is the SNORT intrusion detection system at snort.org

Oh yeah, it's GPL'd too.

FreeVeracity looks to be nothing more than a Tripwire clone that detects file changes on systems it's installed on. To use an analogy, it doesn't detect when your car has been stolen, but it goes off when the thieves try to repaint it.

If you're interested in checking out Snort, head over to www.snort.org and have a look around.

Oh yeah, it's GPL'd too.

FreeVeracity looks to be nothing more than a Tripwire clone that detects file changes on systems it's installed on. To use an analogy, it doesn't detect when your car has been stolen, but it goes off when the thieves try to repaint it.

If you're interested in checking out Snort, head over to www.snort.org and have a look around.

Do you have any suggestions for a better way?

I prefer snort. It logs attack attempts, but doesn't do the blocking that PortSentry does. Snort is very configurable, and can log a good deal of information.

The question I have (which I've been thinking of submitting to Ask Slashdot) is what to do with the lists of attacker IP addresses. I'm sure these are mostly just ``innocent'' compromised hosts, but it would be nice if there were some organized way for us to keep track of who those hosts were, so that people who were concerned about security could blacklist them.

Of course, there would need to be a way to ensure that the reported IP addresses are genuinely attackers (otherwise script kiddies could just submit claims that you were hacking them). Maybe Advogato's method for establishing a trust network could be adapted to the problem?