Date: Mon, 3 Sep 2001 14:17:16 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Hank Leininger <hlein@progressive-comp.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <Pine.BSF.4.21.0109031402470.406-100000@lhotse.zaraska.dhs.org> In-Reply-To: <200109021601.MAA30005@mailer.progressive-comp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Sep 2001, Hank Leininger wrote: > Then whack this data into IP > and TCP options fields of some set of packets you throw at the box. The > server would listen for the right sequence of packets, And you're toasted in case of a packet loss, since IP is an unreliable protocol. Not to mention that some paranoid router/firewall on the way may drop the "weird" datagrams. > But really, it hardly seems worth the bother. A whole lot of complexity > (==places for your implementation to be buggy and open new security holes) > and resource-consumption (==DoS opportunity) for little gain other than > security through obscurity. Exactly. IMHO this tool would be no much gain in normal administration but would make a hard to detect backdoor. > Now, if there were a CGI that was POSTed to with this signed/encrypted > request... But the script would reside by default in the same location so throwing together a kiddie scanner is trivial. Not to mention the possibility of exploitation of the script. And also SSL'd connections should be used... Too much configuration overhead, I think. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109031402470.406-100000>