Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributed Computing for Tracking Net Problems?

Posted by Cliff on from the how-effective-would-it-be dept.

Osrin asks: "A software firewall package that came with a recent computer purchase is using a site called MyNetWatchman to track, catalog and escalate firewall incidents back to ISPs. I was wondering what Slashdot readers think of this type of solution and which other Internet problems it would lend itself to helping resolve?"

3 of 15 comments (clear)

  1. Umm this isn't the first by jelevy01 · · Score: 2, Informative

    This has been going on for a while and you may not have known it. Earthlink and many other ISP's have been using Visual Network's IP Insight in your branded dialers for many years to track QOS and connection statictics under your nose...

  2. Spoofed addresses by Anonymous Coward · · Score: 5, Informative
    When blocking a TCP connection most firewalls will just drop the SYN packet and log it. Since the 3-way handshake has not been completed, it is impossible to verify the source address and silly to notify the "sending" ISP. If you actually ran a service on that port which accepted, logged, and closed the connection, then it would be OK (but there's no trick like this to detect spoofed UDP packets).

    nmap has an option ("-S") to spoof the source address. Here's the documentation from the man page:
    Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! This is not a supported usage (or the main purpose) of this flag. I just think it raises an interesting possibility that people should be aware of before they go accusing others of port scanning them. -e would generally be required for this sort of usage.
    You could also combine this with the -D (decoy) option, which accepts a list of addresses to spoof. More text from the same man page:
    The real moral of the story is that detectors of spoofable port scans should not take action against the machine that seems like it is port scanning them. It could just be a decoy!
  3. Re:Yes, but. . . by Anonymous Coward · · Score: 3, Informative

    All valid points, but the bulk of the worm infestations out there aren't spoofing becuase then they can't spread the infection.

    Worms that spread over UDP (like Blaster) could spread using spoofed packets since they don't require two-way communication. That would probably force a lot of ISPs to install egress filters.

    Even worms that spread using TCP could send some spoofed packets occasionally, just to screw with these distributed tracking systems.

    Given the number of ip addresses that mynetwatchman.com or dshield.org has reporting to them and the fact that they both require independent reports from multiple sources on ports with known exploits before making any type of report, the overwhelming majority of those reports are going to be for infected machines.

    A spoofed scan could still trigger that - I could scan thousands of machines while spoofing your IP address as the source, using a port with a known exploit. Somebody would probably report this to your ISP - and depending on how clueless your ISP is, they might think you're infected.

    Or if a worm is spoofing, it could find IP addresses of non-vulnerable machines and use those as the source addresses for spoofed packets. If it sent 3 spoofed packets for every real packet, any packet you received would have a 75% chance of being fake.