Date: Tue, 17 Aug 1999 19:00:51 +0200 (CEST) From: Leif Neland <leifn@neland.dk> To: Matt Crawford <crawdad@fnal.gov> Cc: current@FreeBSD.ORG Subject: Re: Dropping connections without RST Message-ID: <Pine.BSF.4.05.9908171851140.72905-100000@arnold.neland.dk> In-Reply-To: <199908171417.JAA02482@gungnir.fnal.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Aug 1999, Matt Crawford wrote: > I see no point in the proposed mechanism. The scanner can still tell > the difference between a port with a listener and a port with none. > The only case in which the attacker is confounded would be in > distinguishing a box which is down or off the net from a box which > has *no* services and does not answer ping. I call that an > uninteresting case. > When scanning, I guess one needs to have some delay to determine if something is there or not. If you want to hide some listener, you often can afford a fairly long timeout. This will confuse the attacker, having to wait a long time on each port to see if it is a black hole or a slow listener. It will delay simple sequential scanning where the attacker scans one port and waits for answer before proceeding to the next port. This reminds me of a proposal for sendmail; instead of rejecting mail from known spammers, one would accept the connection, but slow traffic down to the slowest possible, so the spammer could only deliver very few messages. Instead of killing the spammer, make every mailserver like quicksand, drawing him down and drowning him :-] Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908171851140.72905-100000>