Date: Wed, 12 Aug 1998 23:12:22 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Marius Bendiksen <Marius.Bendiksen@scancall.no> Cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 Message-ID: <Pine.BSF.3.96.980812225354.21008E-100000@aniwa.sky> In-Reply-To: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Aug 1998, Marius Bendiksen wrote: > >Or it's traceroute of course. > > Not very likely? Wouldn't a traceroute connect to several ports that high up? I realised just a bit after I posted. The 'what are these three 30K port UDP packets on a port I don't have anything on' combined with the fake traceroute thread headed me off in the wrong direction. I decided against answering my own post. I do think that mimicking traceroute would have been a lot cooler than the eleet reference though. > >How hard would it be to arrange for a reply to be sent that would cause a > >back orifice client to send more and distinguish itself from a traceroute? > > I got a potentially interesting idea; > > Imagine a backorificed running on Unix machines, pretending to be a > 'legitimate' > Back Orifice installation, fully configurable, etc... ? :) I thought about this too, after i realised my own mistake. It would be a silly cracker (perhaps your average scripted attack) that couldn't spot that. It would be more interesting to see what happened with a fake version of a server you'd normally run made available to people connecting from an invalid location, but for most purposes more trouble than it's worth for an individual site. Fake network services are an interesting idea. They're not going to be viable for most users, but how many of these systems need to be scattered around the net and monitored to provide an effective deterrent to scan based attacks? Would this be a role for organizations like CERT? The Apache config (commented out) for phf attacks come to mind. Perhaps if people published simple stats gatherers which sent info on attacks of various kinds to a centralized authority a significant dent in scanning might occur? It seems plausible that this might be introduced to the culture of internet bug reports, but it would be entirely dependent on some organization setting up a centralised monitoring facility. Probably it would be also be dependent on a standardized attack report protocol that obviated the need for new software to be set up to record information on each new bug being reported. Probably improbable. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980812225354.21008E-100000>