RE: Scan of TCP 552-554

From: Nick Nauwelaerts (nick.nauwelaerts@compu-mark.com)
Date: Tue Jul 29 2003 - 00:31:44 PDT

Next message: Sumit: "RE: Exploit for Windows RPC may be in the wild!"

Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Maybe in reply to: Bill McCarty: "Scan of TCP 552-554"
Next in thread: Frank Knobbe: "RE: Scan of TCP 552-554"
Reply: Frank Knobbe: "RE: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: Rodrigo Barbosa [mailto:rodrigobat_private] 
Sent: Friday, July 25, 2003 08:23 PM
To: Incidents
Subject: Re: Scan of TCP 552-554

On Thu, Jul 24, 2003 at 06:10:30PM -0500, Frank Knobbe wrote:
> For example, if you do a TCP scan from port 135 to port 140 on a 
> Windows box, and you receive nothing on 135, 136, 137, 138, 139, but a 
> TCP Reset on 140, there is a high probability that an admin only put a 
> firewall rules in place that simply says 'drop 135-139' to cover the 
> RPC/NetBIOS range, but left the system otherwise unprotected, with 
> Windows sending a Reset on port 140. (Of course you might want to 
> confirm by 'pinging' a couple other closed ports, like port 109 or 
> something).

That is something I have been wondering for a while.
On my firewall, I can set the blockage to either drop the package, send a
tcp-reset back, or an asorted lot of icmp messages.

I figured that sending a tcp-reset would help to hide the firewall. On the
other hand, it would cause extra traffic (which could help a DoS attempt).
Also, sending an icmp-administratively-forbidden message back would be the
'polite' thing to do.  After all that, I would what would be the best
practice.

On small links, I usually choose to use tcp-reset. After all, it's pretty
easy to do a DoS on those links. And the less information an
would-be-attacker get on my system, the better. On the other hand (3
hands!??!), the tcp-reset package do carry some information about my host.

So, all in all, I'm a little lost of which is the better option to use.

---

I consider that it's best to reply to unwanted connection attempts; you're
never sure that they're unwanted. Discarding, not blocking, incoming traffic
has as added feature that it breaks MTU path discovery. If your firewall is
part of an upstream route you break other people's troubleshooting. If this
was done by everyone you can forget about basic troubleshooting tools such
as traceroute of ping.

It's all to easy to fingerprint remote hosts on just about any kind of
network traffic, it can even be done passively. Even if sending
icmp-port-unreachable's or tpc-resets you'll have to see that the TTL is
adjusted if you want to hide the firewall. One open port on or after the
firewall can betray it. It's a lot of effort to get it right, and many don't
have the skill.

To go with the previous poster, replying is the polite thing to do.

// nick

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Sumit: "RE: Exploit for Windows RPC may be in the wild!"
Previous message: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Maybe in reply to: Bill McCarty: "Scan of TCP 552-554"
Next in thread: Frank Knobbe: "RE: Scan of TCP 552-554"
Reply: Frank Knobbe: "RE: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:42:01 PDT