Re: ITP: portsentry
On Thu, Oct 14, 1999 at 06:16:41PM -0700, Ben Gertzfield wrote:
> This is my Intent to Package 'portsentry', an anti port-scanning
> daemon that watches for common scanning patterns and allows the
> sysadmin to do any of the following:
>
> 1) run a script to alert the sysadmin of the source IP and port the scan
> came from, and/or
>
> 2) add an ipchains rule to drop ALL traffic from that IP in the future,
> including ICMP (nice!) and/or
great. auto-self-denial-of-service...help the script kiddies take out
your server. all it takes is for someone to spoof a port-scan and you
automatically packet-filter the spoofed source.
e.g. if i want to take out your mail server i simply use nslookup to
find out what your DNS server is. i then spoof a strobe from your
dns server to your mail server. your mail server will be unable to
resolve names. just in case you have several nameservers listed
in /etc/resolv.conf, i spoof a strobe coming from your upstream's
nameserver(s) and also from various random hosts on your own network. it
will take you hours to figure out what has happened and why your network
has suddenly gone crazy.
> 3) add a route sending all traffic from the incoming IP to a nonexistant
> host (if 2 is undesirable for some reason)
ditto.
> Anyone think I shouldn't package it up? :) Speak up now..
no objections to you packaging it. i just want to warn you that 2) and
3) above are dangerous.
craig
--
craig sanders
Reply to: