> >More, it could not be a `bug', anyway we can easly patch irc-client to > >bind random port. > This won't change the problem since you can still port-scan a wider range > to pick up the random ports. This kind of stuff is best left to the > operating system. I think you are falsely minimizing the problem and the proposed solution. While port scanning a range of 20 or so ports can be done continuously with one iteration taking at most a few seconds, port scanning the entire range of 64512 possible ports for a random listening socket makes it considerably more difficult to nail the right one. Also, I suspect that ircii binds the listening port before advertising it over IRC. This means that the "race" to connect to the port has as much time as it takes IRC to relay the message to the intended client.. which can be quite a long time, as I'm sure we're all aware IRC isn't the fastest thing. Why wait for the OS to increase your security, when an easy and compatible method exists and can be implemented with a small amount of effort? > >Which is your point of view? hehe > My point of view is that one should write a script to hook /on dcc_offer, Checking user@host (via whois) is vulnerable to DNS spoofing. Using the results of stats L is better, but both methods break compatibility with irc proxies and FXP-type relaying. Using a random port over a broad range gives reasonable satisfaction that the person connecting shares the secret (the random port) with you.. and they can still connect from whatever IP their configuration reaches you from. If a change in the protocol was possible, perhaps a large key could be transmitted as the greeting on the DCC connection to further prove the identity of the connector. > Something that hooks /on dcc_offer and then does a $listen() to fool the > port scanner into connecting to the $listen() socket would be sufficient. This only defeats a dumb scanner, and needlessly wastes resources. Pimpin'! -vermontat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:07 PDT