At 09:36 AM 8/12/2002, you wrote:
Paul Jacobs asked: > Why is it that after SUN'S new "TCP Hardening" patch and > the 8+ new services running on my box now that when you > goto "Action Against Detected Scans" and select "Log and > Block" you get a message saying " if you enable this > option you will be open to DOS attack's! ?.Imagine: you know someone just installed this patch. You then attack it with a whole stack of spoofed IP addresses, thousands of packets over a short time. The RaQ then explodes by:a) filling up its' log partition, andb) potentially blocking itself and/or the router it's attached to, DNS servers and so on.
Sounds like a problem with how the the network you sit on is configured. See my earlier post on how to stop this at the router.
Yes, these offerings from Sun are a good idea; the white paper gives a fairly comprehensive (though not too details) overview of how they achieve things but it's still easy to cripple a machine with them installed.Better to have all your internet-facing services as secure as possible. Generally, I don't give a stuff if someone scans a machine of mine and finds a webserver and SSH server. None of the other ports are accessible, anyway.It's all in the configuration. You want to know if someone prodded all your service ports, not the 65000+ other ones!Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list cobalt-security@xxxxxxxxxxxxxxx http://list.cobalt.com/mailman/listinfo/cobalt-security