Re: Scan of TCP 552-554

From: Rodrigo Barbosa (rodrigobat_private)
Date: Mon Jul 28 2003 - 14:47:06 PDT

Next message: Shafik Yaghmour: "Re: "access_log?hello" ?"

Previous message: Frank Knobbe: "Re: Scan of TCP 552-554"
In reply to: Frank Knobbe: "Re: Scan of TCP 552-554"
Next in thread: Salvatore Poliandro: "Re: Scan of TCP 552-554"
Reply: Salvatore Poliandro: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 28, 2003 at 03:49:26PM -0500, Frank Knobbe wrote:
> On Mon, 2003-07-28 at 12:54, Rodrigo Barbosa wrote:
> > My reasoning is that you have to trust your firewall. Sooner or later, the
> > atacker will bruteforce it. So, the longer it takes for the
> > attacker to understand there is a firewall there, the better. That is
> > why I'm considering using tcp-reset. This way, the attacker will hit
> > the traps faster. Maybe even same traps that will block his attack
> > entirely.
> 
> Sure, everything can be figured out over time. To answer your question,
> personally I drop everything silently on the firewall (like Russel) on
> the outside interface. On the inside interface I prefer to send a
> TCP-Reset so that internal devices get on with their business and don't
> hang in timeout states. Keep in mind that my policy (just like yours I
> hope) takes a "deny all, allow required" stance. Firewalls that allow
> all and filter out certain port ranges may be better off with TCP-RST
> while deny-all firewalls may be better off with silent drops.

People who deploy "allow all, filter selected" firewalls are bettor off
with brain surgery, if you ask my opinion.

And I do agree we hide nothing forever. Just the same, we delay nothing
forever. So, where lies the optimum point ? Your host-unreachable below
is along the lines of the adm-forbidden I sugested before. Anyone else
care to contribute thoughts on this matter ?

> I don't think you will always be able to completely hide a system though
> (especially when it serves a purpose, like email ;)
> However, a thought just came to mind. Would it be better (from a
> cover-up point of view) to have the firewall send a spoofed
> ICMP-Host-Unreachable packet with the routers IP address? :)

That is interesting. You mean spoofing with the address of the hop
just before the firewall ? That would be nice, considering you have control
of that router, which is not always the case. Or if the firewall is the
target host. If it is just another "router", we can just send a plain
host-unreachable, and be done with it.

-- 
Rodrigo Barbosa <rodrigobat_private>
"Be excellent to each other ..." - Bill & Ted (The Wild Stallions)

application/pgp-signature attachment: stored

Next message: Shafik Yaghmour: "Re: "access_log?hello" ?"
Previous message: Frank Knobbe: "Re: Scan of TCP 552-554"
In reply to: Frank Knobbe: "Re: Scan of TCP 552-554"
Next in thread: Salvatore Poliandro: "Re: Scan of TCP 552-554"
Reply: Salvatore Poliandro: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 15:25:20 PDT