[rescue] A perverse thought (SGI security division)

Janet L. Campbell janet at foonly.com
Thu Mar 11 15:49:37 CST 2004

On Thu, 11 Mar 2004, Caleb Shay wrote:

> 1. Unauthorized connection logged
> 2. SGI tells firewall to add a tarpit on all ports for offending IP
> 3. Script kiddie now gets uncloseable sockets when they try to ssh in
> 4. Potentially they get uncloseable sockets during the portscan 
> depending on how fast the rules get updated. The portscan never 
> finishes AND it likely forces them to reboot to free up the sockets

Congratulations, you've just reinvented the Forescout "active firewall".  
A few other vendors have done similar stuff, usually with some kind of 
configurable IDS set to trigger firewall rules.

The tricky part is probably tuning the IDS ruleset.  If you know which
hosts shouldn't connect anyway, then you may as well just firewall them
off to start.  Rate limiting on sshd and detecting when more than X bad
login attempts come in in a unit time from an IP or range for firewall
triggering makes some sense.

Don't count on #4, most modern TCP stacks are pretty robust and most 
scanners can deal with various types of half-open connections.

-Janet [pf and ipf rock my world]

More information about the rescue mailing list