From owner-freebsd-current Tue Aug 17 10: 5:52 1999 Delivered-To: freebsd-current@freebsd.org Received: from arnold.neland.dk (mail.neland.dk [194.255.12.232]) by hub.freebsd.org (Postfix) with ESMTP id E6DBA15640 for ; Tue, 17 Aug 1999 10:05:48 -0700 (PDT) (envelope-from leifn@neland.dk) Received: from localhost (localhost [127.0.0.1]) by arnold.neland.dk (8.9.3/8.9.3) with ESMTP id TAA78427; Tue, 17 Aug 1999 19:00:52 +0200 (CEST) (envelope-from leifn@neland.dk) Date: Tue, 17 Aug 1999 19:00:51 +0200 (CEST) From: Leif Neland To: Matt Crawford Cc: current@FreeBSD.ORG Subject: Re: Dropping connections without RST In-Reply-To: <199908171417.JAA02482@gungnir.fnal.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 17 Aug 1999, Matt Crawford wrote: > I see no point in the proposed mechanism. The scanner can still tell > the difference between a port with a listener and a port with none. > The only case in which the attacker is confounded would be in > distinguishing a box which is down or off the net from a box which > has *no* services and does not answer ping. I call that an > uninteresting case. > When scanning, I guess one needs to have some delay to determine if something is there or not. If you want to hide some listener, you often can afford a fairly long timeout. This will confuse the attacker, having to wait a long time on each port to see if it is a black hole or a slow listener. It will delay simple sequential scanning where the attacker scans one port and waits for answer before proceeding to the next port. This reminds me of a proposal for sendmail; instead of rejecting mail from known spammers, one would accept the connection, but slow traffic down to the slowest possible, so the spammer could only deliver very few messages. Instead of killing the spammer, make every mailserver like quicksand, drawing him down and drowning him :-] Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message