Great Circle Associates Firewalls
(March 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: The never-ending finger
From: "John P. Rouillard" <rouilj @ cs . umb . edu>
Date: Mon, 27 Mar 1995 15:11:06 -0500
To: Bob Beck <beck @ cs . ualberta . ca>
Cc: nsayer @ quack . kfu . com (Nick Sayer), firewalls @ greatcircle . com
In-reply-to: Your message of "Mon, 27 Mar 1995 11:38:21 MST." <95Mar27.113826-0700_(mst) . 138533-2 @ amisk . cs . ualberta . ca> 
In message <95Mar27.113826-0700_(mst) .
 138533-2 @
 amisk .
 cs .
 ualberta .
 ca>,
Bob Beck writes:

>> 
>> The broader issue is that a service should not use its own
>> service to ask about a client. fingerd should not finger fingerers,
>> and ident daemons should not try and ident-ify ident queriers.
>> Those are the only two examples that spring immediately to mind,
>> but the lesson should be a general one so that it pops up in the
>> next non-specific case...
>> 
>[...]>
>	I really doubt a normal hit on a finger or ident port is so
>insidious that is warrants a reverse finger or booby trap. At worst,
>if you don't like these services, just block them and log the access
>attempts (If you really want to). Better to just do them in a
>secure-enough-for-you manner or put in the equivalent of:

Normal yes, maybe. But then again, the Morris worm used a "normal"
connection too. It was only after the fact that reverse lookup info
would have been useful to find out where the attack was comming from,
and what id's were online at the time of the attack.

In any case to prevent the death loop my finger wrapper does a stat of
the file <hostname> before it does the reverse finger against
hostname. If the hostname file has been changed in the previous two
minutes, it doesn't do the reverse finger. If the host hadn't been
fingered in the previous 2 minutes, finger is run redirecting its
output onto the hostname file.


The script is left as an exercise for the reader since it is a 2
minute perl hack, or a little longer if you are using ls, sed, and
expr, or awk.

Sadly the same hack won't work for two mutually loop identd's since
the information is specific to the connection and not general to the
machine. Also there is no way to get out of the loop by looking for
well known tokens such as daemon etc since the tokens have no meaning
for the requestor, only for the supplier.

				-- John
John Rouillard

Senior Systems Administrator		  IDD Information Services
rouilj @
 dstar .
 iddis .
 com			  Waltham, MA (617) 890-7227 x337
						      (617) 487-3937 (Direct)
Senior Systems Consultant (SERL Project)  University of Massachusetts at Boston
rouilj @
 cs .
 umb .
 edu (preferred)	          Boston, MA, (617) 287-6480
===============================================================================
My employers don't acknowledge my existence much less my opinions.
References:
Indexed By Date Previous: Internet Security
From: Jon David <David @ DOCKMASTER . NCSC . MIL>
Next: Fingering and firewalls
From: Ben A Lindstrom <mouring @ netnet . net>
Indexed By Thread Previous: Re: The never-ending finger
From: Bob Beck <beck @ cs . ualberta . ca>
Next: Fingering and firewalls
From: Ben A Lindstrom <mouring @ netnet . net>
Google
 
Search Internet Search www.greatcircle.com