Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Aug 1999 19:00:51 +0200 (CEST)
From:      Leif Neland <leifn@neland.dk>
To:        Matt Crawford <crawdad@fnal.gov>
Cc:        current@FreeBSD.ORG
Subject:   Re: Dropping connections without RST 
Message-ID:  <Pine.BSF.4.05.9908171851140.72905-100000@arnold.neland.dk>
In-Reply-To: <199908171417.JAA02482@gungnir.fnal.gov>

next in thread | previous in thread | raw e-mail | index | archive | help


On Tue, 17 Aug 1999, Matt Crawford wrote:

> I see no point in the proposed mechanism.  The scanner can still tell
> the difference between a port with a listener and a port with none.
> The only case in which the attacker is confounded would be in
> distinguishing a box which is down or off the net from a box which
> has *no* services and does not answer ping.  I call that an
> uninteresting case.
> 
When scanning, I guess one needs to have some delay to determine if
something is there or not. If you want to hide some listener, you often
can afford a fairly long timeout. This will confuse the attacker, having
to wait a long time on each port to see if it is a black hole or a slow
listener. It will delay simple sequential scanning where the attacker
scans one port and waits for answer before proceeding to the next port.

This reminds me of a proposal for sendmail; instead of rejecting mail from
known spammers, one would accept the connection, but slow traffic down to
the slowest possible, so the spammer could only deliver very few messages.
Instead of killing the spammer, make every mailserver like quicksand,
drawing him down and drowning him :-]

Leif




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908171851140.72905-100000>