[Dshield] Could this be done ?

John Draper crunch at shopip.com
Mon Sep 9 02:01:25 GMT 2002


>I see this type of correlation too. But what about the possibility of
>people abusing this through spoofing? The scenario is quite simple.

That doesn't seem to be a real problem.   its easy to go in and quickly remove them.   But I guarentee that if the IDS picks it up,  it is NOT getting inside the network.   In order to get meaningful results in scanning,  you HAVE to use TCPIP,  and you can't forge that.   Obviously stealth scans would allow spoofing.   It just depends on what snort rules are in effect today.   It's so easy to change them,  and update the rules database.   I only have to spend 5 mins a day,  going through my logs,   and removing IP's from the "shitlist" that manages to get on it.   I just go through,  delete all the spoofed ones,   taking a look at the IDS logs,  and deciding whether or not to grant that IP access again.

Someone from inside the net tried to access a mail server outside the net,   and it had the Klez attachment,  and complained they couldn't read that message.  I told them it had a virus in it,  and they would have to delete that mail item or log in from outside the internal net.   NOT ONE machine has even been infected.  Just ONE snort rule did it.  One thing about the Klez,  it's damed easy to identify.
>
>Site A is blocking all sites that scan it, for 15 minutes.

I would never deploy THAT policy...
>
>Site B is Site A's biggest customer.
>
>Site C is Site A's biggest competitor.
>
>C sets up(or hires someone to do so) a network of machines to spoof as
>Site B, and scan Site A's network every 10 minutes. After about 48 hours
>of this, C calls B to setup a new deal, and B gladly accepts, as they
>haven't been able to get to A's site, and nobody has responded to their
>emails, for the last two days!
>
>Granted, A should already have tracked down the sysadmins at B, and
>confirmed that this was spoofed traffic. But by the time that could be
>confirmed, the damage is already done. Even if the IT department sent
>out a notice explaining what was going on, A's reputation is already
>tarnished.

Looks like you need a Crunchbox...  (Shameless self promotion)  :-)

John





More information about the list mailing list