[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

>
>
> On 12/16/05, *Chris Ricker* <kaboom at oobleck.net 
&gt; &lt;<a  rel="nofollow" href="mailto:kaboom";>mailto:kaboom</a> at oobleck.net&gt;&gt; wrote:
&gt;
&gt;
&gt;     That's the whole point -- you have to return something if you want
&gt;     it to
&gt;     look &quot;normal&quot;
&gt;
&gt;     If you connect to a normal, unfiltered port with nothing listening
&gt;     on it,
&gt;     a compliant TCP/IP stack does not drop your connecting packet on the
&gt;     floor. Instead, it returns a response that lets you know there's no
&gt;     service listening on that port:
&gt;
&gt;     * for TCP, it returns a TCP reset
&gt;
&gt;     * for UDP, it returns an ICMP port unreachable
&gt;
&gt;     By using the &quot;-p tcp -j REJECT --reject-with tcp-reset&quot; or &quot;-p udp -j
&gt;     REJECT&quot;, your filter response is the same as an unfiltered,
&gt;     unbound port's
&gt;     response
&gt;
&gt;     That's not to say an &quot;iptables -p tcp -j REJECT --reject-with
&gt;     tcp-reset&quot;
&gt;     is undetectable, just that it's a lot less obvious than an
&gt;     &quot;iptables -p
&gt;     tcp -j DROP&quot;. Whether that's good or bad is situation-dependent and
&gt;     opinion-dependent ;-)
&gt;
&gt;
&gt;
&gt; Right, I think I understand this.  But the flip side to this is that 
&gt; the attacker now knows that there is a machine there, whereas if you 
&gt; drop the packet, he doesn't know whether it is because of a firewall 
&gt; dropping packets or because it is an unused IP address.  If my 
&gt; assumption is correct, hackers are not going to want to investigate 
&gt; this further since it could be a waste of time.
&gt;
&gt; Or am I not understanding this correctly?
&gt;
&gt;------------------------------------------------------------------------
&gt;
&gt;_______________________________________________
&gt;Ale mailing list
&gt;Ale at ale.org
&gt;<a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;
Don't you remember &quot;War Games&quot; the movie?  I hope I got the name right.  
You start the modems on a dial up script and go to work/school.   No 
time wasted.  Then come back a thumb through the logs.  Or do a script 
that takes you to points of interest.   Same can be said for reviewing 
your system logs.  Which is why I won't use a software box as a gateway 
anymore.  I am to busy to keep up with all the hacks and updates needed 
to stay ahead of the script kiddies.   Although,  I would love to play 
with the &quot;tarpit&quot; thing one day.  Some how knowing that I am screwing 
with some ones head and hold their TCP connections hostage, brings a 
smile to my face.

Wonder what would have if I did this on a cooperate network on port 
139......I am thinking pink slip.

Adrin



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00076" href="msg00076.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00077" href="msg00077.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
<li><strong><a name="00195" href="msg00195.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> transam at verysecurelinux.com (Bob Toxen)</li></ul></li>
<li><strong><a name="00206" href="msg00206.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
<li><strong><a name="00207" href="msg00207.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
<li><strong><a name="00210" href="msg00210.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> jason.day at gmail.com (Jason Day)</li></ul></li>
<li><strong><a name="00212" href="msg00212.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
<li><strong><a name="00213" href="msg00213.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> kaboom at oobleck.net (Chris Ricker)</li></ul></li>
<li><strong><a name="00214" href="msg00214.html">[ale] Nmap + filtered ports</a></strong>
<ul><li><em>From:</em> nym.bnm at gmail.com (Brian MacLeod)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00219.html">[ale] Toshiba Satellite Pro SPM30</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00221.html">[ale] Tar and end of tape</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00228.html">[ale] Nmap + filtered ports</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00208.html">[ale] Nmap + filtered ports</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00220"><strong>Date</strong></a></li>
<li><a href="threads.html#00220"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>