[wplug] users sending to wrong email address

Bill Moran wmoran at potentialtech.com
Thu Jan 3 12:44:23 EST 2008 

In response to Christopher DeMarco <demarco at maya.com>:

> On Thu, Jan 03, 2008 at 11:40:53AM -0500, Bill Moran wrote:
> 
> > of people setting up packet dropping firewalls all over the internet.
> > TCP connections to closed ports should return RST.  Sysadmins who don't
> 
> Uh, except that an RST is positive confirmation that *something* is
> alive at that port.  Dropping the packet provides no information about
> whether the port is alive.  RST means "no SYN/ACK"; "nothing" means
> "no SYN/ACK *arrived*".  Big difference.

I believe I quote George Washington when I say, "huh?"

An RST is a NAK.  It means that the system on that IP address is
saying, positively, that nothing is alive on that port (or that other
circumstances prevent you from using it, such as you're IP doesn't
match the other half of the socket pair)

No response is indeterminate.  Nothing about whether or not anything
arrived or not should be assumed.

> Nmap, for example, has a discrete state of "filtered", which means
> that it *can't tell* whether the port is open or closed.  Some people
> find this uncertainty useful -- sending RST tells an attacker that
> there's definitely something there and that it doesn't want to talk;
> silently doing nothing creates uncertainty.

Um ... no.

I can (and do) program my Firewall to always return RSTs for all firewalled
TCP ports.  This actually creates more successful misinformation than
dropping packets.  A few years ago, I had a script kiddie online laugh
at me for not having a firewall.  Meanwhile, I was running a powerfully
aggressive filter on that system, but his portscan program incorrectly
assumed that there was no firewall because it got RSTs on all firewalled
TCP ports.  Who's being more effective at concealing their security
policy now?

Besides.  Nowadays, a portscanner is liable to end up on my blocklist
when the PF rules catch the rapid open/closing of TCP ports anyway.
So the attacker is only liable to get correct information for one or
two ports before 

What silently doing nothing _does_ achieve is the problem that Kevin
described: hung connections all over the Internet by people legitimately
trying to access services that should be there and aren't.  I wonder
how many CPU hours are wasted each day on sockets timing out when they
could just receive an RST and know immediately that they're not getting
through ... it makes me sad.

-- 
Bill Moran
http://www.potentialtech.com

More information about the wplug mailing list