[wplug] users sending to wrong email address
Christopher DeMarco
demarco at maya.com
Thu Jan 3 13:12:59 EST 2008
On Thu, Jan 03, 2008 at 12:44:23PM -0500, Bill Moran wrote:
> I can (and do) program my Firewall to always return RSTs for all firewalled
> TCP ports. This actually creates more successful misinformation than
SYN --> RST # what does this mean?
# (a) Endpoint doesn't want to talk to me.
SYN --> TIMEOUT # what does this mean?
# (a) Endpoint doesn't want to talk to me.
# (b) SYN never reached the endpoint.
# (c) SYN/ACK never reached me.
# (d) SYN/ACK never generated.
What are the implications of an ICMP UNREACHABLE response?
> dropping packets. A few years ago, I had a script kiddie online laugh
> at me for not having a firewall. Meanwhile, I was running a powerfully
> aggressive filter on that system, but his portscan program incorrectly
> assumed that there was no firewall because it got RSTs on all firewalled
> TCP ports. Who's being more effective at concealing their security
> policy now?
What, you're proud that you've got dumber attackers than I have?
> What silently doing nothing _does_ achieve is the problem that Kevin
> described: hung connections all over the Internet by people legitimately
I agree that it's a problem. I took issue (perhaps my fault for not
being clear enough about my objection?) with your blanket statment
that DROPping is unequivocally bad.
> trying to access services that should be there and aren't. I wonder
> how many CPU hours are wasted each day on sockets timing out when they
> could just receive an RST and know immediately that they're not getting
> through ... it makes me sad.
For the record, I agree that it sucks if *legitimate* connections have
to timeout. I guess that one reason for silently dropping
connections, though, is to cost attackers time in portscanning. It's
a teergrube.
--
Christopher DeMarco <demarco at maya.com>
Information Technology Supervisor
MAYA Group
+1-412-488-2900
More information about the wplug
mailing list