[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Scan detection

Subject: RE: [cobalt-security] Scan detection
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
Date: Mon, 12 Aug 2002 17:36:01 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Paul Jacobs asked:

> Why is it that after SUN'S new "TCP Hardening" patch and
> the 8+ new services running on my box now that when you
> goto "Action Against Detected Scans" and select "Log and
> Block" you get a message saying " if you enable this
> option you will be open to DOS attack's! ?.

Imagine: you know someone just installed this patch. You then attack it with a whole stack of spoofed IP addresses, thousands of packets over a short time. The RaQ then explodes by:

a) filling up its' log partition, and
b) potentially blocking itself and/or the router it's attached to, DNS servers and so on.

Yes, these offerings from Sun are a good idea; the white paper gives a fairly comprehensive (though not too details) overview of how they achieve things but it's still easy to cripple a machine with them installed.

Better to have all your internet-facing services as secure as possible. Generally, I don't give a stuff if someone scans a machine of mine and finds a webserver and SSH server. None of the other ports are accessible, anyway.

It's all in the configuration. You want to know if someone prodded all your service ports, not the 65000+ other ones!

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

Prev by Date: Re: [cobalt-security] got root?
Next by Date: RE: [cobalt-security] got root?
Previous by thread: Re: [cobalt-security] Scan detection
Next by thread: RE: [cobalt-security] Scan detection

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index