Operating System - OpenVMS
1839274 Members
2554 Online
110138 Solutions
New Discussion

Re: expiration time of INTRUDER

 
SOLVED
Go to solution
Davor_7
Regular Advisor

expiration time of INTRUDER

when you become an intruder, and when your trial counts being up. the expiration time is up and down. that's stranger.
who can explain this phenomenon?
thanks!


TERMINAL INTRUDER
8
16:17:13


TERMINAL INTRUDER
12
16:16:55


TERMINAL INTRUDER
13
16:18:11


22 REPLIES 22
John Gillings
Honored Contributor

Re: expiration time of INTRUDER

Davor,

Each time a new suspect event occurs, the expiration time for that source is incremented by a random time period (between 0.5 and 1.5 times LGI_BRK_TMO). It's a sliding window, with older events being dropped. So, depending on the sequence of increments, the expiration time can go up and down with the count as events are added and dropped.

OpenVMS deliberately makes this chaotic so that even people who know the algorithm cannot predict when the effect of an intrusion detection will expire. The best they can do is assume worst case.
A crucible of informative mistakes
John Gillings
Honored Contributor

Re: expiration time of INTRUDER

Curious... this thread is marked with a magic rabbit, but there are no points assigned.
A crucible of informative mistakes
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

John
it's funny, hehe~

but i find some confused so i reopen this topic

you said that it's 0.5 - 1.5 times of TMO for the expiration time
but in this example. the TMO is about 40 mins
(sh time = 15:49:21)
so, 0.5 * 40 = 20 mins(min); 1.5 * 40 = 60 mins(max)
why does it up and down only in some seconds?
TERMINAL INTRUDER
8 16:17:13
TERMINAL INTRUDER
12 16:16:55
TERMINAL INTRUDER
13 16:18:11

could you help to explain it for me ?
Mike Reznak
Trusted Contributor

Re: expiration time of INTRUDER

Hi
Just to make it a bit more clear.

LGI_BRK_TMO

LGI_BRK_TMO specifies the length of the failure monitoring
period. This time increment is added to the suspect's expiration
time each time a login failure occurs. Once the expiration period
passes, prior failures are discarded, and the suspect is given a
clean slate.

LGI_BRK_TMO is a DYNAMIC parameter.


LGI_BRK_LIM

LGI_BRK_LIM specifies the number of failures that can occur at
login time before the system takes action against a possible
break-in. The count of failures applies independently to login
attempts by each user name, terminal, and node. Whenever login
attempts from any of these sources reach the break-in limit
specified by LGI_BRK_LIM, the system assumes it is under attack
and initiates evasive action as specified by the LGI_HID_TIM
parameter.

The minimum value is 1. The default value is usually adequate.

LGI_BRK_LIM is a DYNAMIC parameter.

Mike
...and I think to myself, what a wonderful world ;o)
Mike Reznak
Trusted Contributor

Re: expiration time of INTRUDER

I've forgot to insert the third one...

LGI_HID_TIM

LGI_HID_TIM specifies the number of seconds that evasive action
persists following the detection of a possible break-in attempt.
The system refuses to allow any logins during this period, even
if a valid user name and password are specified.

LGI_HID_TIM is a DYNAMIC parameter.

All that help you can find in

$ mc sysman help Sys_Parameters

Mike
...and I think to myself, what a wonderful world ;o)
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

hi all, thanks for your reply.
but i still cannot make it out.
pls let me show my question more clearly

i know that there is 3 parameters:
LGI_BRK_LIM is for break-in count(here = 6)
LGI_BRK_TMO is for SUSPECT status(here = 30mins)
LGI_HID_TIM is for INTRUDER status(this is where i found the question)

the following is my testing data:
$sh time
15:49:21
$(try failure login for 8 times)
Count:8 Expiration: 16:17:13
$(keep trying)
Count:12 Expiration: 16:16:55
Count:13 Expiration: 16:18:11


my question is why the expiration time decreased when the count increase from 8 to 12...
from Michal said, "LGI_HID_TIM is a DYNAMIC parameter."
but if it's true, what's the exact scope for this "dynamic"?

thanks ! :)
Ian Miller.
Honored Contributor

Re: expiration time of INTRUDER

dynamic means that system parameter can be changed and the updated value be effective without rebooting the system
____________________
Purely Personal Opinion
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

but how it changes?
i think there should be a rule in it...

i'm finding it :)
Ian Miller.
Honored Contributor

Re: expiration time of INTRUDER

"why the expiration time decreased when the count increase from 8 to 12..."

I think John G explaination covers how this can happen.

____________________
Purely Personal Opinion
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

nope~ Miller, i donot think so
John said:
"Each time a new suspect event occurs, the expiration time for that source is incremented by a random time period (between 0.5 and 1.5 times LGI_BRK_TMO). "
it's talking about the SUSPECT and LGI_BRK_TMO.
here, my data is all about INTRUDER and HID_TIM, different scope :)

what's your idea about it?
Peter Barkas
Regular Advisor

Re: expiration time of INTRUDER

John G's explanation works for me.

Presumably the intruder timings are added to the suspect timings and therefore the suspect timer randomness applies to the intruder as well? For there to be randomness for suspects but not for intruders would seem illogical.
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

but Peter
after my several testing, the SUSPECT timer has no randomness problem. it stictly increases the LGI_BRK_TMO(30 mins) per trial
SUSPECT 1 16:30:34
SUSPECT 2 17:00:36
SUSPECT 3 17:30:40

i only find the randomness on INTRUDER...
Wim Van den Wyngaert
Honored Contributor

Re: expiration time of INTRUDER

Don't understand it either.

I did a test generating an intruder in a script.

For suspect it works as described but for intruder ? After 50 intrusions the penalty is still only 1 minute.

John : what do you exactly mean with sliding window ?

Why ?

Wim
Wim
Wim Van den Wyngaert
Honored Contributor

Re: expiration time of INTRUDER

Oeps. The intervals are not added. After each login failure 60 seconds are re-applied.

But the 60 seconds seem to be randomized with a value between 1 and 6 seconds (or is it 10% ?), not 0.5 and 1.5.

Wim
Wim
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

Yes Wyngaert!
you got the same question i want to ask~

Wim Van den Wyngaert
Honored Contributor
Solution

Re: expiration time of INTRUDER

It sure seems to be 10%, I tested with other lgi_hid_tim values.

But it never is negative. So, Davor, in your test it should be between 30 and 33 minutes.
I guess there is some delay between your show time and the intruding time that decreased.

Wim
Wim
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

oh~ i'm not so sure about it
but i can do further testing tomorrow and give you the result in time :)

thank you for your reply to clarify my question.
i appreciate that:)
John Gillings
Honored Contributor

Re: expiration time of INTRUDER

Davor, Wim,

Good, I'm glad you find it difficult to predict the expiration time, that it the INTENTION of the algorithm.

All you need to know is higher values of LGI_BRK_TMO and LGI_HID_TIM will cause the expiration time to be longer, and lower values shorter. The exact result is deliberately chaotic and subject to change.

Why? So that even folk who know what's happening cannot predict in advance when they can start trying again.
A crucible of informative mistakes
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

thanks John~!
thanks all!

i will do some further investigation on Oct.
this month i will work on SLS

sincerely thanks to your reply~ :)
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

close :)
Wim Van den Wyngaert
Honored Contributor

Re: expiration time of INTRUDER

John,

It would be more chaotic if it was really unpredictable. The 10% increase can easily be found.

Wim
Wim
Davor_7
Regular Advisor

Re: expiration time of INTRUDER

we are trying to find this principle, right?