[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-net
Subject: Re: A more pliable firewall
From: Ian Smith <smithi () nimnet ! asn ! au>
Date: 2009-02-21 4:09:36
Message-ID: 20090221135053.J46613 () sola ! nimnet ! asn ! au
[Download RAW message or body]
On Fri, 20 Feb 2009, Bakul Shah wrote:
> Thanks to everyone who responded. Looks like all the pieces
> to do this exist. All I have to do is to package it all in
> one program "sheriff" that watches various log files and
> pulls the trigger on the bad guy(s) at appropriate time.
Wild West imagery indeed :)
> I think I will add a program to keep running stats on *all*
> the tcp/udp senders to find all those annoyingly pesky repeat
> senders who have no business talking to my network.
Be prepared for a very, very large list! Maybe needing some sort of
tree/trie or hashing algorithm to handle quickly as it grows. You'll
also need some expiry mechanism after a period, as many if not most of
these are transient scans from infected 'doze boxes, trojans du jour.
And that after you've ignored the near-constant 'background radiation'
from 'doze boxes to eg TCP dst-ports 135,139,445,1433 and others, and
UDP dst-ports 135,137,138,1433,1434,1900 etc; no use chasing such more
or less constant misconfigs, they'll only mask more interesting stuff.
> What would be nice is a standard interface to report
> suspicious failures (sort of like syslog). If the same guy
> sends N DNS requests for the same thing and every request
> fails, chances are he is a bad guy (or a zombie acting on
> behalf of one). Perhaps some day a trusted network of such
> daemons can be used to "back pressure" the closest ISP to the
> sender -- who can then shut him down for a while.
One note of caution: TCP is straightforward enough, the three-way
handshake verifying the source address (if it proceeds to connection).
However it's trivial to forge UDP source addresses, as the recent DNS
amplification attacks I mentioned amply demonstrate.
In such cases, the address appearing to be sending DNS requests logged
as, say, "address#port query (cache) './NS/IN' denied" is the *victim*
of such attacks, and blocking all access to/from such addresses, often
nameservers of large ISPs, amounts to shooting yourself in the foot as
well as further punishing the victim - the unknown attacker's intention!
In that case it's sufficient to block 'from $victim to $me 53', still
allowing $me to query their nameservers, eg to send them some mail :)
good luck,
Ian
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic