-----Original Message----- From: Rodrigo Barbosa [mailto:rodrigobat_private] Sent: Friday, July 25, 2003 08:23 PM To: Incidents Subject: Re: Scan of TCP 552-554 On Thu, Jul 24, 2003 at 06:10:30PM -0500, Frank Knobbe wrote: > For example, if you do a TCP scan from port 135 to port 140 on a > Windows box, and you receive nothing on 135, 136, 137, 138, 139, but a > TCP Reset on 140, there is a high probability that an admin only put a > firewall rules in place that simply says 'drop 135-139' to cover the > RPC/NetBIOS range, but left the system otherwise unprotected, with > Windows sending a Reset on port 140. (Of course you might want to > confirm by 'pinging' a couple other closed ports, like port 109 or > something). That is something I have been wondering for a while. On my firewall, I can set the blockage to either drop the package, send a tcp-reset back, or an asorted lot of icmp messages. I figured that sending a tcp-reset would help to hide the firewall. On the other hand, it would cause extra traffic (which could help a DoS attempt). Also, sending an icmp-administratively-forbidden message back would be the 'polite' thing to do. After all that, I would what would be the best practice. On small links, I usually choose to use tcp-reset. After all, it's pretty easy to do a DoS on those links. And the less information an would-be-attacker get on my system, the better. On the other hand (3 hands!??!), the tcp-reset package do carry some information about my host. So, all in all, I'm a little lost of which is the better option to use. --- I consider that it's best to reply to unwanted connection attempts; you're never sure that they're unwanted. Discarding, not blocking, incoming traffic has as added feature that it breaks MTU path discovery. If your firewall is part of an upstream route you break other people's troubleshooting. If this was done by everyone you can forget about basic troubleshooting tools such as traceroute of ping. It's all to easy to fingerprint remote hosts on just about any kind of network traffic, it can even be done passively. Even if sending icmp-port-unreachable's or tpc-resets you'll have to see that the TTL is adjusted if you want to hide the firewall. One open port on or after the firewall can betray it. It's a lot of effort to get it right, and many don't have the skill. To go with the previous poster, replying is the polite thing to do. // nick --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:42:01 PDT