Re: Hacked - is it my turn? - interesting
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 03 Feb 2004 at 09:03:31AM -0500, Rolf Kutz wrote:
> Your fooling yourself. What prevents sniffers from
> sending multiple packets at once[0]. And you're
> breaking the TCP-Protocol, which makes debugging
> much harder.
As mentioned before, it is a port-scanner. Anyhow, TCP-Reset cans turn
a asymmetric DoS attack/flood (one-way) into an symmetric DoS/flood
because now your host is generating traffic by replying to these
otherwise useless packets. You could set a limit rule on sending a
TCP-Reset..I know. I am not one that enjoys people breaking RFCs, but
in this case it does make *some* sense. If someone is randomly port
scanning class C's and they hit your IP, get no response from an ICMP
(1) echo-request (8) and then try a few ports and get no TCP-Resets,
they are likely to think you are a dead IP[1].
1. Unless they are on your subnet and they can send an ARP request for
the IP and your machine responds. The statement above assumes the
attacker/researcher is not on your subnet.
- --
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAIBccS3Jybf3L5MQRAn+0AJ9vtu7B447kmAmkoEwdV/eeRP5m6QCaAh1F
rvPYB97zggBJWMeJBKK8HvA=
=r1v0
-----END PGP SIGNATURE-----
Reply to: