November 6th, 2002, 10:54 AM
IDS/Firewalls: how to detect traffic which is NOT an attack
I've noticed there are loads of people, typically windows users, who have installed <insert name of firewall/IDS here> on their box and immediately reported something which they think is an attack: Examples:
1. Help, I've just installed a packet monitor, and I'm being bombarded with tons of TCP packets from port 80 to high port numbers, are they trying to hack ing?
-- NO, no-one is trying to hack in, that is your web pages downloading!
2. Help, I'm seeing loads of attacks from port 53 all from my ISP's DNS server - are they trying to hack me?
- No, these are DNS replies.
3. I've installed <insert name of windows p2p warez sharing program here> and I'm seeing loads of connections to/from my machine all over the place and in netstat etc...
- Yes, that's what these things do. They're really good at screwing up attempts at making a good IDS configuration because in IP terms, they are extremely promiscuous, connecting to/from anything on any port number they feel like. Also some of them send strange ICMP.
p2p is the enemy of IDS, it creates noise.
There are of course a lot of other situations where newbies see incoming packets and immediately assume they are attacks.
Most incoming packets will be responses to outgoing ones. These are of course safe and if you block them, you won't be very happy.
PLEASE CHECK before reporting something as an attack, that it isn't legitimiate incoming responses.
If you have p2p running, shut it off for several hours beforehand, if the incoming packets continue, MAYBE then you have an attack
Turn off IM software, auto-update on any virus scanners etc you run and anything else that generates traffic.
If you use p2p, it is extremely likely that your machine has been invaded by some ad-ware which they usually ship with. Disable this too if you can as it will generate traffic.
If after turning everything off, you still see attacks, then you might actually be getting attacked.