com (Sick Puppy) writes:
>Has anyone seen an S.. attack against a firewall?
>If so, could you post part of the logs please?
They're boring. The firewall used a simple three strikes and you're
A full solution would use a smarter watcher program that charaterized
an attack and then informed the firewall to update its filters.
One thing I *really* like about the current Morningstar Express
software is that one can update filters whenever some user-defined
trigger packets are received. In the full blown firewall design one
could run tcpdump on a Unix host and have some high level pattern
matcher watch the tcpdump output. Any suspicious activity would cause
the program to tell the firewall to raise the drawbridge with respect
to that subnet (or domain etc.).
One could also set tripwires in sendmail/ftp/finger/http etc looking
for someone trying to exploit old bugs (eg. if someone typed "debug"
at sendmail.) The daemons themselves could then tell the firewall to
slam the door.
This of course assumes that one is willing to live with an occasional
denial of service attack.
Wolfgang Rupprecht <wolfgang @