Re: Port 113 requests?

From: Paul Cardon (@moquijo.com)
Date: Thu Dec 06 2001 - 20:25:28 PST

  • Next message: Chris Keladis: "RE: Port 113 requests?"

    Slighter, Tim wrote:
    
    > you really should try and specify that the rule "drops" instead of reject so
    > that the potential intruder is not provided with any information about their
    > attempted connection.
    
    
    tcp 113 (auth) is a common exception because of performance issues with 
    legitimate traffic.  Suppose you have a mail relay that sends out a 
    large volume of SMTP e-mail on behalf of users in your organization.  If 
    you drop all of the auth requests coming back to your mail relay from 
    servers to which you are delivering outbound mail, each of those 
    connections must wait for the auth attempt to timeout before the mail 
    can be delivered.  If you send a reject, the auth fails immediately and 
    the SMTP connection will complete in a timely fashion.
    
    True, it is a workaround for what is in my opinion a completely useless 
    protocol.  The right fix is to go and rebuild all those versions of 
    sendmail that have it enabled by default.  Unfortunately, if you don't 
    use a reject policy and you do send large volumes of outbound e-mail you 
    may find that the mail relay is taking a significant performance hit.
    
    -paul
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 13:24:38 PST