Eric Schubert ([log in to unmask]) wrote:
:I'm trying to evaluate internet attack risks using VT with a 3k.  Assume
:that VT sits behind a router that allows access only to the VT port.  What I
:have so far:
 
:()  Does the HP-UX OS come with NS/vt software built in to connect to 3k's?
 
No, not "built in".
 
:()  My testing indicates that an NS/vt port can be attacked simply with any
:Telnet client connecting to the VT port number, tying up sockets and
vtservers.
 
Yes, this is true.  This is true anywhere where a socket is listening to
the internet...
 
: ()  It follows that any NS/vt port can be attacked easily with a perl script
: or simple BSD client that performs connections in a continuous loop, using
: up all available sockets on the 3k without actually doing a logon.  What is
: the VT drop timeout?
 
Yes, simple scripts have been written to do this sort of thing.  I'm
not sure what the VT drop timeout will be, but I suspect that it will
vary depending on what data is sent by the client.  Eero, any comments?
 
At any rate, I do not think these types of attacks are a huge deal.  For
most hackers, the goal is to get a logon to your system.  They could write
their own vt-client scripts, but they are still going to need a username
and passoword, so it would just make their lives more difficult to use
such a mechanism.  PC VT clients are very common and could easily be used
as part of an attack.  Are you concerned about hackers using this system
to "guess" passwords?  They could use it for that.
 
On the other hand, hackers interested in just screwing with your system can
eat resources by repeatedly connecting to your system and attempting to
guess passwords.
 
As a side note, VT is no different from telnet on this issue.  The remote
host can just as easily use telnet to guess passwords as it can use VT.
 
: ()  How easy is it to discover the proper protocol response to a NS/vt
: connection and get an MPE prompt (roll your own VT client, say with a c or
: perl script)?
 
Not simple to discover, but not impossible either. A dedicated hacker could
probably get all of the necessary information with a few traces to do some
simple scripts.
 
Security is one of the few nice things about proprietary protocols.  Your
VT server is probably more safe than an equivalent telnet server just because
of the "security through obscurity"...
 
: ()  If this is done (figure out the proprietary handshake to obtain an MPE
: prompt, like NS/open did), my testing shows that NS/vt will allow continuous
: trial of passwords (try three passwords-drop; reconnect; try three
: more-drop; reconnect, etc.)  Is there any way to shutdown such an attack
: without turning off NS/VT?
 
No.
 
: () What kind of TCP/IP level attacks can take place?  I heard of things like
: packet spoofing, does the 3k need to worry about this?
 
In the scenario you listed above, IP spoofing is not a real concern.  When
an attack uses IP spoofing, the attacker is trying to convince your system
that he is some other host.  Since you said that you were purposefully opening
VT connections to the internet, you are not doing any IP level security yet.
Thus, since you've already allowed any IP address into your host, there is
no reason for the hacker to use IP spoofing.
 
IP spoofing is useful to hackers attempting to:
        1. get around firewalls
        2. get around IP level security mechanisms such as HP-UX's inetd.sec
 
IP-level security keeps out the amateur hackers, but not the dedicated ones.
 
 
Good luck,
 
Mike
 
---
Mike Belshe
[log in to unmask]
HP CSY Networking Lab