PHWinfo - Afficher un message

02/09/2006, 08h38

Ertugrul Soeylemez wrote:

> "shrike@cyberspace.org" <shrike@cyberspace.org> (06-08-19 19:55:23):
>
>> > > Why just slow them if you can stop them?
>> >
>> > Easy. Slowing them down saves bandwidth for the whole internet. As
>> > long as the scanner 'hangs' on scanning your box, it won't issue too
>> > much traffic. If you banned them, then they would just go further
>> > and scan the next box. There are in fact scanners, which could
>> > simultaneously scan multiple boxes, but that is rather rare. Even
>> > then, if _many_ people ed slowing them down, then a lot of
>> > useless traffic would be saved.
>>
>> Until the blackhat integrates the polling with simple flatfile database
>> to distribute the attack on a per password basis. 20 lines of Perl
>> would probably be adequate.
>>
>> Ultimately the solution is for an agency to provide the tarpit as a
>> proxy. Once the connection is determined to be offensive, the socket
>> should be forwarded to a server run by the police with an out-of-band
>> session to provide the true source address and related statistics. One
>> honeypot, many parallel data flows pointing back at the origin.
>
> That's not a solution, because many, if not most of these attacks come
> from innocent people, who don't even know about it. I'd rather call these
> SSH _worms_, because they spread like them.

A _child_ is "innocent" and not (mostly, in civilized societies)
responsible even if s/he signs an otherwise valid contract. Many children
of well heeled parents have their own computers and internet connections.
If a phishing site were being hosted on that "innocent"'s computer, is the
financial damage to the victims any less real? (No.) Is there any less
reason to shut down that phishing site, just because it is running on a
computer in a child's bedroom, playroom or den? (No.)

An ISP will often or usually not disconnect a customer even when they
acknowledge the customer's system(s) are compromised, because then the ISP
loses the customer and its revenue base. Clearly, there needs to be new,
different or augmented motivation (and mechanisms) to enforce prompt
disconnection / remediation of maliciously compromised, networked
computers. The current pure "free market" capitalist model is not
effective in controlling these security issues.

The fact that the operator of a system is "innocent" by reason of being a
child, of being childlike, of being clueless or simply careless or
irresponsible does not remove the need for remediation or disconnection of
that system. Whether it is an SSH attack, a phishing site, malicious IRC
server for a botnet, and regardless what one chooses to call the type of
attack in nomenclature, the desired essential response to detection needs
to be immediate termination of the malicious activity.

There are probably several ways I could have seen to take legitimate
security issue with what was written above. But, to claim that a proposed
solution is invalid because the "attacks come from innocent people" is a
"red herring". The issue should not be cast in the light of how good or
bad the owners or operators of the equipment are, but rather what they do.
If what they do (or don't do) is a threat to others, they need to be
stopped. The more promptly and quickly they are stopped, the better.

One big giant step further, - a very, very hypothetical picture:

Suppose that in some time, - long long ago and in a universe far far away ...

(are you still with me on this ?) ...

On a day called September 11, 2001, ...

In a place called United States of America, ...

Nineteen "innocent" children, abused children, mentally incompetent
children, legally "innocent" children - managed to fly aircraft into
buildings and caused billions of dollars of financial damage, fortunately
without the loss of a single human life other than their own 19 "innocent"
lives. The people of the United States of America will be paying for that
financial damage for generations.

And here's the question:

If we had detected that attack beforehand and were able to prevent it,
should we have elected to _not_ prevent it because the people involved
were "innocent" ? I think not.

02/09/2006, 08h38	#3
responder Messages: n/a Hébergeur:	Re: ssh dictionary attacks Ertugrul Soeylemez wrote: > "shrike@cyberspace.org" <shrike@cyberspace.org> (06-08-19 19:55:23): > >> > > Why just slow them if you can stop them? >> > >> > Easy. Slowing them down saves bandwidth for the whole internet. As >> > long as the scanner 'hangs' on scanning your box, it won't issue too >> > much traffic. If you banned them, then they would just go further >> > and scan the next box. There are in fact scanners, which could >> > simultaneously scan multiple boxes, but that is rather rare. Even >> > then, if _many_ people ed slowing them down, then a lot of >> > useless traffic would be saved. >> >> Until the blackhat integrates the polling with simple flatfile database >> to distribute the attack on a per password basis. 20 lines of Perl >> would probably be adequate. >> >> Ultimately the solution is for an agency to provide the tarpit as a >> proxy. Once the connection is determined to be offensive, the socket >> should be forwarded to a server run by the police with an out-of-band >> session to provide the true source address and related statistics. One >> honeypot, many parallel data flows pointing back at the origin. > > That's not a solution, because many, if not most of these attacks come > from innocent people, who don't even know about it. I'd rather call these > SSH _worms_, because they spread like them. A _child_ is "innocent" and not (mostly, in civilized societies) responsible even if s/he signs an otherwise valid contract. Many children of well heeled parents have their own computers and internet connections. If a phishing site were being hosted on that "innocent"'s computer, is the financial damage to the victims any less real? (No.) Is there any less reason to shut down that phishing site, just because it is running on a computer in a child's bedroom, playroom or den? (No.) An ISP will often or usually not disconnect a customer even when they acknowledge the customer's system(s) are compromised, because then the ISP loses the customer and its revenue base. Clearly, there needs to be new, different or augmented motivation (and mechanisms) to enforce prompt disconnection / remediation of maliciously compromised, networked computers. The current pure "free market" capitalist model is not effective in controlling these security issues. The fact that the operator of a system is "innocent" by reason of being a child, of being childlike, of being clueless or simply careless or irresponsible does not remove the need for remediation or disconnection of that system. Whether it is an SSH attack, a phishing site, malicious IRC server for a botnet, and regardless what one chooses to call the type of attack in nomenclature, the desired essential response to detection needs to be immediate termination of the malicious activity. There are probably several ways I could have seen to take legitimate security issue with what was written above. But, to claim that a proposed solution is invalid because the "attacks come from innocent people" is a "red herring". The issue should not be cast in the light of how good or bad the owners or operators of the equipment are, but rather what they do. If what they do (or don't do) is a threat to others, they need to be stopped. The more promptly and quickly they are stopped, the better. One big giant step further, - a very, very hypothetical picture: Suppose that in some time, - long long ago and in a universe far far away ... (are you still with me on this ?) ... On a day called September 11, 2001, ... In a place called United States of America, ... Nineteen "innocent" children, abused children, mentally incompetent children, legally "innocent" children - managed to fly aircraft into buildings and caused billions of dollars of financial damage, fortunately without the loss of a single human life other than their own 19 "innocent" lives. The people of the United States of America will be paying for that financial damage for generations. And here's the question: If we had detected that attack beforehand and were able to prevent it, should we have elected to _not_ prevent it because the people involved were "innocent" ? I think not.