[wplug] users sending to wrong email address

Bill Moran wmoran at potentialtech.com
Thu Jan 3 22:13:32 EST 2008 

Christopher DeMarco <demarco at maya.com> wrote:
>
> On Thu, Jan 03, 2008 at 12:44:23PM -0500, Bill Moran wrote:
> 
> > I can (and do) program my Firewall to always return RSTs for all firewalled
> > TCP ports.  This actually creates more successful misinformation than
> 
> SYN --> RST     # what does this mean?
>                 # (a) Endpoint doesn't want to talk to me.

Right.
            
> SYN --> TIMEOUT # what does this mean?
>                 # (a) Endpoint doesn't want to talk to me.

Technically, no.  This is something that everyone assumes because so many
firewalls drop packets.

>                 # (b) SYN never reached the endpoint.
>                 # (c) SYN/ACK never reached me.
>                 # (d) SYN/ACK never generated.

These three are correct, and can be grouped under a single topic,
"communication problems are occurring".

> What are the implications of an ICMP UNREACHABLE response?

Which one?  There are 14 of them, my favorite of which is "Communication
administratively prohibited" :)

> > dropping packets.  A few years ago, I had a script kiddie online laugh
> > at me for not having a firewall.  Meanwhile, I was running a powerfully
> > aggressive filter on that system, but his portscan program incorrectly
> > assumed that there was no firewall because it got RSTs on all firewalled
> > TCP ports.  Who's being more effective at concealing their security
> > policy now?
> 
> What, you're proud that you've got dumber attackers than I have?

Are we going to degenerate to this?  If so, my response is, "Do you
honestly believe that's what I meant?"

> > What silently doing nothing _does_ achieve is the problem that Kevin
> > described: hung connections all over the Internet by people legitimately
> 
> I agree that it's a problem.  I took issue (perhaps my fault for not
> being clear enough about my objection?) with your blanket statment
> that DROPping is unequivocally bad.

Perhaps I miscommunicated there.  Certainly, if you're under active
DDoS attack, dropping packets is desirable.  It's the wholesale dropping
of all packets that don't have a destination that is unequivocally bad.

If you're seeing attack attempts against a nonexistent SMTP server, it's
justifiable to drop those packets, but dropping all packets to port 25
because your not running an SMTP server is against the design intent of
TCP, and doesn't accomplish anything effective.  Hell, if someone is going
to DDoS you, they're not going to attack a port that drops packets anyway.

What could you possibly be accomplishing?

> > trying to access services that should be there and aren't.  I wonder
> > how many CPU hours are wasted each day on sockets timing out when they
> > could just receive an RST and know immediately that they're not getting
> > through ... it makes me sad.
> 
> For the record, I agree that it sucks if *legitimate* connections have
> to timeout.  I guess that one reason for silently dropping
> connections, though, is to cost attackers time in portscanning.  It's
> a teergrube.

If your packet filtering system can not recognize a portscan and
dynamically drop packets as a result, I recommend you upgrade to something
newer than a Pentium Pro.  Alexandros suggested LaBrea, for example.  pf
has this capability.  If you spent money on a firewall and it doesn't have
this capability, you got robbed.

-- 
Bill Moran
http://www.potentialtech.com

More information about the wplug mailing list