[Dshield] Firewall that bites back??? Addendum

keithtarrant@spamcop.net keithtarrant at spamcop.net
Wed Nov 20 14:56:32 GMT 2002


And remember, this issue started with the problem port being port 137.

First, there are lots of completely valid reasons we receive and send port
137 "probes", most revolving around getting the name of the other
computer.

For example, if you have the firewall log tool WallWatcher configured to
display the names of the computers sending in-bound "probes" it uses port
137 to get those names.

So a computer that is itself probing (because of worm infection, or local
or remote control hacking) will see a lot of port 137 probes coming in, as
will a computer that inherits the IP address of an infected computer.

And for other ports on dial-up, computers attempting to contact the
computer that had the IP address you inherited are carrying out legitimate
activity when they try to re-establish their connection to whatever wild
and wonderful port your predecessor was using.

It would be totally wrong to "bite back" on legitimate activity.  Ignore,
yes, block yes (an its in your log so it was), "bite back" no.

Second, most malicious port 137 probes are from machines owned by victims
of either worms or remote control hackers, as I think we all realize here.

It would be wrong to "bite back" against people already victimized.

Third, the suggestion of blocking infected machines is one route.  For
non-technical home users, Norton Internet Security has this feature turned
on by default.  And there are other products that can be set to do this.

Fourth, the real solution is for the owners of infected machines and
machines being used for hacking to be  promptly notified they have a
problem.  So they can correct it.  And currently the established way to do
this is by email to their ISP's abuse address, and the ISP would then
notify them.

Both DShield FightBack (less aggressive) and MyNetWatchman (more
aggressive) provide automated means of determining which probing machines
are infected or hacking and to send out email ISP abuse analysts.  They
are the appropriate ways to "bite back".

- Keith


----- Original Message -----
From: "Conner, Jim" <jconner at uslec.com>
To: <list at dshield.org>
Sent: Tuesday, November 19, 2002 1:46 PM
Subject: RE: [Dshield] Firewall that bites back??? Addendum


> in addendum to Jason's statements:
>
> ... not to mention that some acts could be construed as illegal or at
best
> questionably legal.  I would take the advice of Jason and do your best
to,
> if need be, log and block.  Logging is good so that if things really get
bad
> then you have something to give authorities.  If the traffic you are
seeing
> is really maliscious masked behind netbios packets then you want to show
> that as evidence.  Something like that would be good evidence as well.
On
> the other hand, choose wisely what you decide to do because the FBI
doesn't
> want frivolous accusations.
>
> In the meantime it is best to take a passive stance at such things and
keep
> your eyes and er, well, keep your eyes open.
>
> If everybody "fought back" when something happened to them this world
would
> be in utter chaos knowing no peace.  Snort is the best tool, imo, to do
> exactly what has been suggested.  The pluggins that are available to add
> firewall rules blocking "attacks" from those on certain IP's on certain
> ports are said to be pretty decent.  Of course, if you are using windows
as
> a firewall, you may have problems with this and frankly, I would not use
> windows for such a task anyway (my humble opinion...I have no desires to
> start a flame).
>
> good luck.
>
> - Jim
>
>
> |-----Original Message-----
> |From: Jason Allen [mailto:jallen at garden-city.org]
> |Sent: Tuesday, November 19, 2002 1:28 PM
> |To: list at dshield.org
> |Subject: RE: [Dshield] Firewall that bites back??? Addendum
> |
> |
> |I'm sorry, but once you start 'fighting back' you have done
> |exactly what we
> |are here to prevent. You will drive yourself absolutely nuts
> |trying to pay
> |back everyone in the world that is using a system maliciously.
> |Lock your
> |doors. That doesn't mean that you have to stand around all day
> |looking out
> |the peep hole either. Get a couple of good deadbolts and get some rest
> |knowing that you have done everything you can to make YOUR
> |part of the world
> |a safer place. Don't fight back, just make it so their efforts are
> |fruitless. Keep your Karma in the green.
> |
> |-----Original Message-----
> |From: rilya byor [mailto:rilya1 at yahoo.com]
> |Sent: Monday, November 18, 2002 4:12 PM
> |To: list at dshield.org
> |Subject: Re: [Dshield] Firewall that bites back??? Addendum
> |
> |
> |
> |--- Alberto Gonzalez <ag-dshield at cerebro.violating.us>
> |wrote:
> |> well, by "fighting" back, do you mean to attempt the
> |> same attack on the
> |> src ip thats attacking you?
> |
> |That's exactly what I meant...
> |
> |> A method of fighting back would be to use something
> |> in the form of SnortSam w/ Snort (support for
> |> pf, ipchains, and iptables(coming soon)) to block
> |> packets based on alerts and or hogwash.
> |
> |Which is exactly what I'll do when I get my new modem
> |to work with RedHat 7.2 ...
> |
> |>i believe you mentioned your on winXP..
> |
> |Wouldn't be if I could find some good ebay software
> |for Linux ...
> |
> |>just trying to give you some ideas. Hope it Helps
> |
> |It does. Tnx!
> |(BTW, the connection lockups were apparently being
> |caused by my now-former ISP, tho they went to their
> |death denying it!)
> |Rilya
> |
> |> rilya byor wrote:
> |>
> |> >As I was sending the above-mentioned email, my
> |> >connected locked up for the 6th time this morning,
> |> and
> |> >now the probes are coming in on other ports too.
> |> >Here's the Outpost attack log for the last 15
> |> minutes:
> |> >
> |> >11/18/2002 9:46:04 AM Connection request
> |> >200.165.212.179 UDP(137)
> |> >11/18/2002 9:41:51 AM Connection request
> |> 80.24.91.15
> |> >UDP(137)
> |> >11/18/2002 9:33:59 AM Connection request
> |> 209.73.225.95
> |> >TCP(24541)
> |> >11/18/2002 9:33:31 AM Connection request
> |> >209.73.225.108 TCP(20239)
> |> >11/18/2002 9:33:14 AM Connection request
> |> 209.73.225.94
> |> >TCP(32105)
> |> >11/18/2002 9:33:03 AM Connection request
> |> >216.136.224.76 TCP(1357)
> |> >11/18/2002 9:32:23 AM Connection request
> |> 209.73.225.94
> |> >TCP(12064)
> |> >11/18/2002 9:32:02 AM Connection request
> |> 209.73.225.95
> |> >TCP(24541)
> |> >11/18/2002 9:31:57 AM Connection request
> |> >216.136.224.76 TCP(1357)
> |> >11/18/2002 9:31:42 AM Connection request
> |> 61.188.126.1
> |> >UDP(137)
> |> >11/18/2002 9:31:33 AM Connection request
> |> >209.73.225.108 TCP(20239)
> |> >11/18/2002 9:31:17 AM Connection request
> |> 209.73.225.94
> |> >TCP(32105)
> |> >11/18/2002 9:30:42 AM Connection request
> |> >216.136.224.76 TCP(1357)
> |> >11/18/2002 9:30:25 AM Connection request
> |> 209.73.225.94
> |> >TCP(12064)
> |> >11/18/2002 9:30:04 AM Connection request
> |> 209.73.225.95
> |> >TCP(24541)
> |> >11/18/2002 9:29:36 AM Connection request
> |> >209.73.225.108 TCP(20239)
> |> >11/18/2002 9:29:19 AM Connection request
> |> 209.73.225.94
> |> >TCP(32105)
> |> >11/18/2002 9:28:47 AM Connection request
> |> >216.136.224.76 TCP(1357)
> |> >11/18/2002 9:28:27 AM Connection request
> |> 209.73.225.94
> |> >TCP(12064)
> |> >11/18/2002 9:28:07 AM Connection request
> |> 209.73.225.95
> |> >TCP(24541)
> |> >11/18/2002 9:27:38 AM Connection request
> |> >209.73.225.108 TCP(20239)
> |> >11/18/2002 9:27:20 AM Connection request
> |> 209.73.225.94
> |> >TCP(32105)
> |> >11/18/2002 9:26:39 AM Connection request
> |> >216.136.224.76 TCP(1357)
> |> >11/18/2002 9:26:29 AM Connection request
> |> 209.73.225.94
> |> >TCP(12064)
> |> >11/18/2002 9:21:19 AM Connection request
> |> 209.73.225.95
> |> >TCP(24541)
> |> >11/18/2002 9:21:19 AM Connection request
> |> >209.73.225.108 TCP(20239)
> |> >11/18/2002 9:21:13 AM Connection request
> |> 209.73.225.94
> |> >TCP(32105)
> |> >11/18/2002 9:21:04 AM Connection request
> |> 209.73.225.94
> |> >TCP(12064)
> |> >11/18/2002 9:19:01 AM Connection request
> |> 209.6.250.129
> |> >UDP(137)
> |> >
> |> >
> |> >
> |> >
> |>
> |> --
> |> The secret to success is to start from scratch and
> |> keep on scratching.
> |>
> |>
> |> _______________________________________________
> |> Dshield mailing list
> |> Dshield at dshield.org
> |> To change your subscription options (or
> |> unsubscribe), see:
> |http://www.dshield.org/mailman/listinfo/list
> |
> |
> |__________________________________________________
> |Do you Yahoo!?
> |Yahoo! Web Hosting - Let the expert host your site
> |http://webhosting.yahoo.com
> |
> |_______________________________________________
> |Dshield mailing list
> |Dshield at dshield.org
> |To change your subscription options (or unsubscribe), see:
> |http://www.dshield.org/mailman/listinfo/list
> |
> |###############################################################
> |######################
> |This e-mail message has been scanned for Viruses and Content
> |and cleared by MailMarshal
> |- For more information please visit www.nwtechusa.com
> |###############################################################
> |######################
> |
> |_______________________________________________
> |Dshield mailing list
> |Dshield at dshield.org
> |To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> ---------------------------------------------------------------
> Jim Conner           | AMA & Traffic Systems Analyst
> USLEC of NC          | Security Steering Committee
> 6801 Morrison Blvd   | Unix Systems Development - Perl
> Charlotte, NC 28211  | wk: 704.319.1222 pgr: 877.317.2448
> jconner at uslec.com    | txt: 8773172448 at archwireless.net
>
>





More information about the list mailing list