On Mon, Jan 29, 2001 at 07:06:56PM +0000, thomas lakofski wrote: > My bad. But the point seems moot, since if you're already able to squash > traffic between the hosts you might as well do that instead of trying to > induce > a blocking response from portsentry. It's decidedly less trivial than sending > a spoofed SYN.
True, it is easier just to DoS, but if you get portsentry to do something, then you can stop your DoS attack, and things stay broken. That would make the attack a lot harder to trace. That's why I don't think anyone should ever run software that sets up blocks in response to possible attacks it has detected, unless the software is sophisticated enough to make sure it doesn't block anything it shouldn't, at least not permanently. (I remember reading about some US Gov guys doing security research who had a whole bunch of programs all over their network that collected info and responded automatically, and another team trying to break in. In that case, I guess blocking in response to attacks works, but that's a lot smarter than e.g. blocking everyone who fingers you. What about people who honestly forgot your email address?) The best practice is to notify a human of the situation, so they can do something intelligent :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
