From owner-freebsd-security Sat Jan 22 13: 9:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15]) by hub.freebsd.org (Postfix) with ESMTP id AA01314F63 for ; Sat, 22 Jan 2000 13:09:24 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (pat23.x-treme.gr [212.120.197.215]) by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id XAA24235; Sat, 22 Jan 2000 23:09:16 +0200 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id SAA30161; Sat, 22 Jan 2000 18:28:01 +0200 (EET) (envelope-from keramida@diogenis.ceid.upatras.gr) Date: Sat, 22 Jan 2000 18:28:01 +0200 From: Giorgos Keramidas To: Brett Glass Cc: Matthew Dillon , Dag-Erling Smorgrav , Keith Stevenson , freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <20000122182801.A30103@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <4.2.2.20000120194543.019a8d50@localhost> <20000121162757.A7080@osaka.louisville.edu> <4.2.2.20000121195112.0196a220@localhost> <200001220353.TAA66856@apollo.backplane.com> <4.2.2.20000121210443.01981600@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <4.2.2.20000121210443.01981600@localhost> X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E X-Phone-Number: +30-94-6203692, +30-93-2886457 X-Address: Theodorou Kirinaiou 61, 26334 Patra, Greece Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 21, 2000 at 09:26:39PM -0700, Brett Glass wrote: > At 08:53 PM 1/21/2000 , Matthew Dillon wrote: > > > Brett, it's an interesting rationalization, but it's completely wrong. > > If you think a moment you will find that there are plenty of RST situations > > long after boot. Think of all those dialup connections where people > > turn off their modems before disconnecting, for example. At BEST our > > servers always had a large number of hanging connections from that > > sort of situation. > > This is really a different situation. In this case, the system is acting like > a router. The packet never gets to the TCP level on the host, or shouldn't, > during the call. When the user hangs up, your PPP software might want to > send a bunch of RSTs to shut down the caller's sessions (if it's been > tracking them). Or just do what a router does, and flag the machine > as down. I don't know of any beast that can track down connections of it's dialup interfaces. If you have one of these, I'm really gealous. Seriously now, you can't just stop sending RSTs forever. This creates a lot of problems, while trying to solve just one. Most problems occur when a host gets down for a while, or some dialup user toggles his on/off switch to the modem, causing some other to dial into his old IP, etc. > > As far as port probing goes: So what? Do you think preventing people > > from identifying your machine will make it more secure? > > No, but it'll make it harder to figure out which 'sploits to try. It's the > difference between leaving the door visibly wide open and forcing the > cracker to TRY the door. If I can waste a cracker's time, I want to. Got a point there. But this can be done with simple firewall rules for anyone who's interested in doing it. Both ipfw and ipfilter can be set up to drop without an icmp SYN+FIN packets. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > "Don't let your schooling interfere with your education." [Mark Twain] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message