North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security on a home DSL Line

  • From: Joe Shaw
  • Date: Fri Nov 03 17:14:15 2000

It still doesn't do things like list the source port of the offending
attack.  It still reports things like traceroutes as suspicious
activity.  It's not so much that BlackIce is a bad product, it's the fact
that most of the users who use it and the other software packages like it
are generally not very clued and will fly off the handle reporting all
sorts of things as attacks or attempts to access their computer.  I've
actually spent an entire weekend being paged by our NOC to deal with
someone who had BlackIce, and another program that would e-mail [email protected] for
the IP address it considered to be attacking, in this case what it was
saying was a UDP flood coming from various IP's of equipment we have.  One
thing led to another, and it turned out he was being UDP flooded by
streaming media servers (RTSP anyone?), and his automated reporting
facility was mailing these complaints out to the NOC.  We had another
person who was screaming bloody murder about being hacked, when he was
tracerouted to twice over a 24 hour period.  That hardly counts as an

Generally, if someone is having an issue and all they have to go in is
BlackIce output, we need pretty evident proof that there's an actual
problem.  One cool feature is the fact that BlackIce can detect certain
types of traffic, like nmap scans, queso, snmp queries, and the like.  But
if all I've got to go on is a 5 packet 'UDP flood,' the source IP, the
destination IP, and the destination port, it gets old quick.  Couldn't it
just look at the source port and say "This looks like RTSP," or "This is
only 5 packets, probably not a big deal."  It really depends on how
sensitive the person who has it sets it, but I've yet to see anyone who
doesn't set it as high as it will go.  A warning that says it might be as
ultra-paranoid as a strung out conspiracy theorist at the highest
settings might not be a bad idea.

I think the last version we looked at was the latest version available in
July/August.  We were looking at it to use as a firewalling solution for
our mobile users, but we just couldn't deal with the amount of calls
people would make to us saying they were being scanned by all the local
windows machines on the network while they were in the office, or
countless other issues.  We're still looking at other solutions, but few
really have any sort of centralized monitoring/reporting ability.

Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named because I
don't speak for them here.  I have public opinions, and they don't.

On Fri, 3 Nov 2000, Rishi Singh wrote:

> That was a very old version of BlackIce Defender you are referring to. I
> know exactly which version you are talking about as I had similar problems
> with it. However NetworkIce seems to be a pretty responsive company when it
> comes to complaints and I beta test their products for them.
> All of the dev/null stuff has been eliminated in the last few releases,
> including erroneous reports and extraneous information. You should try it
> now, I think you will be more impressed than the experiences you had with
> the older version.