Re: Security in general (was Re: Proposal "LUID")

From: Horst von Brand (vonbrand@sleipnir.valparaiso.cl)
Date: Wed Apr 19 2000 - 20:32:18 EST

"Michael H. Warfield" <mhw@wittsend.com> said:
> On Wed, Apr 19, 2000 at 02:31:29PM -0400, Theodore Y. Ts'o wrote:

[...]

> > Keep in mind that you don't necessarily get one shot at things ----
> > apache for example will has a watcher process which will restart worker
> > processes which have core'd themselves. So you can try arbitrary number
> > of times to guess the stack pointer, until you finally get it right.
> > The same is of course true of any program fired out of inetd.conf ---
> > like telnetd, ftpd, etc.

> Good points... Of course, the inetd case is not totally unbounded.
> You'll run into the infamous "server respawning too quickly - shuting down
> for five minutes" type problem that will limit some of that kind of action
> given large enough numbers. Still have the Murphy principle involved that
> says it WILL happen sooner or later.

If I was a cracker, I'd collect a few dozen or so likely victims first, and
then try the attack against each one in turn, with random offsets. Sooner
or later I'll have netted a few. Note that the current crop of kiddies are
out recruiting machines for DDoSes, it doesn't matter much to them whom
they get as long as they get enough to crash the objective.

[...]

> Ok... I understand that's a question that can not be answered.
> There are too many independent variables such as the level of access,
> how rapidly and exploit can be delivered and recycled (the inetd
> limitation), how valuable is the trophy (some attacks won't buy you enough
> gain to make them worth while but others could warrent days of attacks),
> and how high is the chance of detection (noisy exploits would have to be
> effective in fewer shots than "quiet" or stealth exploits).

Sadly, the sysadmin savvy has gone down too; and with much more machines to
tend, even noisy attacks are bound to be ignored by many. Remember there
are plenty of targets out there, and the Internet is still growing at
something like 100% a year. 

-- 
Horst von Brand                             vonbrand@sleipnir.valparaiso.cl
Casilla 9G, Viņa del Mar, Chile                               +56 32 672616

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:16 EST