Simple scans can be sent at your computer
with spoofed
addresses, which means a hacker could trigger your system
into "Auto-blocking" anybody they wished.
For example, let's say that you are in a chat-room with other
people. A hacker doesn't like you, and decides to kick you
off the chat-room. In theory, the hacker can forge the server's IP
address and send you attack packets in the hopes that our
product would then automatically block all further traffic
from the chat server, effectively removing you from the chat-room.
Therefore, auto-blocking only applies to those attacks that
cannot be spoofed.
Example
A customer sent us a log containing the following probes/pings/scans.
These are simply hackers that are lightly scanning the system looking
for a way in. These definately show hostile intent upon the part of the
hacker, but they do not indicate a danger to the system. Moreover, the
IP addresses in these packets could easily be spoofed.
| Severity | Time | ID | Intrusion | Intruder IP | Intruder | Victim | | Info | Count |
|---|
| 59 | 1999-12-05 11:13:24 | 2003102 | TCP port probe | 209.168.102.133 | VADER | 192.0.2.134 | | port=98 | 1 |
| 19 | 1999-12-08 00:26:17 | 2001507 | PCAnywhere ping | 192.0.2.91 | EDISON FABIAN | 192.0.2.134 | | | 7 |
| 19 | 1999-12-09 05:01:09 | 2001507 | PCAnywhere ping | 192.0.2.109 | MEDIA | 192.0.2.134 | | | 3 |
| 79 | 1999-12-10 05:08:23 | 2001511 | WhatsUp scan | 192.0.2.68 | 216-59-17-68.usa.flashcom.net | 192.0.2.134 | | | 1 |
| 19 | 1999-12-10 15:29:09 | 2001507 | PCAnywhere ping | 192.0.2.68 | 216-59-17-68.usa.flashcom.net | 192.0.2.134 | | | 1 |
| 59 | 1999-12-11 09:36:13 | 2001506 | Back Orifice ping | 4.3.208.14 | lsajca1-208-014.dsl.gtei.net | 192.0.2.134 | | type=PING(1) & passwd=0x7A69 & length=19 & xid=0x0 & iport=0x0450 & vport=0x7A69 | 1 |
| 59 | 1999-12-12 01:53:28 | 2003101 | TCP trojan horse probe | 131.156.140.11 | BADJUJU | 192.0.2.134 | | port=1243 & name=Sub 7 | 1 |
In the above example, the top attack is by somebody who sent a TCP SYN packet at
port 98 on the system. In theory, this person could have
spoofed the IP source address,
in which case the person with the IP address of 209.168.102.133/VADER is completely
innocent, and that it was somebody else entirely. In reality, it probably
is indeed a hacker named VADER who is probing your system looking for
linuxconf. Since this system is Windows, this probably
isn't a cocern.
The PCAnywhere pings and WhatsUp scans are from people nearby on the same
area of the network. These programs often scan people around them automatically.
This isn't necessarily hostile, and these packets could also be spoofed.
The Back Orifice ping is definately a hacker with hostile intent.
Since it is a single UDP packet, it could likewise be spoofed (the other
attacks above were generally connection attempts before real data
is sent, a Back Orifice packet contains data in the first packet
sent before a connection is established).
Likewise, the last attack consists of an attempt to connect
to your machine using the Sub7 trojan. Since this is blocked,
the connection fails.
