Re: Scan of TCP 552-554

From: Russell Harding (hardingrat_private)
Date: Mon Jul 28 2003 - 10:40:15 PDT

Next message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"

Previous message: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rodrido,

  When configuring my new firewall, I had this exact thought, and decided
to silently drop as most firewalls, thinking I was likely missing
something.

  I think the reason to drop, rather than reply politely is the following:
scanning is much slower when packets are dropped.  Try scanning a
firewalled host which has packets dropped, and compare to an unfirewalled
host which responds with RSETs, the time difference is dramatic.

<thought>
  I have often wondered if adaptive scanning techniques will be used
against this common policy.  For example, if RTT times are short for all
ports != 135-139, do we have to wait for a full timeout? or perhaps RTT*3?
or a scaner which will pick up stray RSET's and figure out which probe
they were responding to, etc....
</thought>

     -Russell

On Fri, 25 Jul 2003, Rodrigo Barbosa wrote:

> On Thu, Jul 24, 2003 at 06:10:30PM -0500, Frank Knobbe wrote:
> > For example, if you do a TCP scan from port 135 to port 140 on a Windows
> > box, and you receive nothing on 135, 136, 137, 138, 139, but a TCP Reset
> > on 140, there is a high probability that an admin only put a firewall
> > rules in place that simply says 'drop 135-139' to cover the RPC/NetBIOS
> > range, but left the system otherwise unprotected, with Windows sending a
> > Reset on port 140. (Of course you might want to confirm by 'pinging' a
> > couple other closed ports, like port 109 or something).
>
> That is something I have been wondering for a while.
> On my firewall, I can set the blockage to either drop the package,
> send a tcp-reset back, or an asorted lot of icmp messages.
>
> I figured that sending a tcp-reset would help to hide the firewall. On
> the other hand, it would cause extra traffic (which could help a DoS attempt).
> Also, sending an icmp-administratively-forbidden message back would be the
> 'polite' thing to do.  After all that, I would what would be the best practice.
>
> On small links, I usually choose to use tcp-reset. After all, it's
> pretty easy to do a DoS on those links. And the less information an
> would-be-attacker get on my system, the better. On the other hand (3 hands!??!),
> the tcp-reset package do carry some information about my host.
>
> So, all in all, I'm a little lost of which is the better option to use.
>
> --
> Rodrigo Barbosa <rodrigobat_private>
> "Be excellent to each other ..." - Bill & Ted (The Wild Stallions)
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Previous message: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:50:30 PDT