Re: Hacked - is it my turn? - interesting

To: debian-security@lists.debian.org
Subject: Re: Hacked - is it my turn? - interesting
From: Phillip Hofmeister <plhofmei@zionlth.org>
Date: Tue, 3 Feb 2004 16:48:14 -0500
Message-id: <[🔎] 20040203214814.GB10395@zionlth.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20040203140330.GA1103@afrika>
References: <[🔎] 401DECCD.1050402@megahosted.com> <[🔎] Pine.LNX.3.96.1040202135231.13487A-100000@Maggie.Linux-Consulting.com> <[🔎] 20040202222839.GX2096@morgul.net> <[🔎] 20040203043840.GA13318@nepomuk.stw.uni-duisburg.de> <[🔎] 20040203123829.GC9437@fluff> <[🔎] 87d68wqpgp.fsf@fermat.localhost> <[🔎] 20040203140330.GA1103@afrika>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 03 Feb 2004 at 09:03:31AM -0500, Rolf Kutz wrote:
> Your fooling yourself. What prevents sniffers from
> sending multiple packets at once[0]. And you're
> breaking the TCP-Protocol, which makes debugging
> much harder.

As mentioned before, it is a port-scanner.  Anyhow, TCP-Reset cans turn
a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood
because now your host is generating traffic by replying to these
otherwise useless packets.  You could set a limit rule on sending a
TCP-Reset..I know.  I am not one that enjoys people breaking RFCs, but
in this case it does make *some* sense.  If someone is randomly port
scanning class C's and they hit your IP, get no response from an ICMP
(1) echo-request (8) and then try a few ports and get no TCP-Resets,
they are likely to think you are a dead IP[1].

1. Unless they are on your subnet and they can send an ARP request for
the IP and your machine responds.  The statement above assumes the
attacker/researcher is not on your subnet.

- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAIBccS3Jybf3L5MQRAn+0AJ9vtu7B447kmAmkoEwdV/eeRP5m6QCaAh1F
rvPYB97zggBJWMeJBKK8HvA=
=r1v0
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Hacked - is it my turn? - interesting
  - From: Rolf Kutz <kutz@netcologne.de>

References:
- Re: Hacked - is it my turn?
  - From: Eric Nelson <en@megahosted.com>
- Re: Hacked - is it my turn? - interesting
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>
- Re: Hacked - is it my turn? - interesting
  - From: Noah Meyerhans <noahm@debian.org>
- Re: Hacked - is it my turn? - interesting
  - From: Philipp Schulte <pschulte@uni-duisburg.de>
- Re: Hacked - is it my turn? - interesting
  - From: Richard Atterer <richard@list04.atterer.net>
- Re: Hacked - is it my turn? - interesting
  - From: fra-ds-no-spam@tourde.org (François TOURDE)
- Re: Hacked - is it my turn? - interesting
  - From: Rolf Kutz <kutz@netcologne.de>

Prev by Date: Re: Hacked - is it my turn? - interesting
Next by Date: Re: Hacked - is it my turn? - interesting
Previous by thread: Re: Hacked - is it my turn? - interesting
Next by thread: Re: Hacked - is it my turn? - interesting
Index(es):
- Date
- Thread