Date: Sat, 22 Jan 2000 18:28:01 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: Brett Glass <brett@lariat.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Dag-Erling Smorgrav <des@flood.ping.uio.no>, Keith Stevenson <k.stevenson@louisville.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Some observations on stream.c and streamnt.c Message-ID: <20000122182801.A30103@hades.hell.gr> In-Reply-To: <4.2.2.20000121210443.01981600@localhost> References: <4.2.2.20000120194543.019a8d50@localhost> <Pine.BSF.4.10.10001211419010.3943-100000@tetron02.tetronsoftware.com> <20000121162757.A7080@osaka.louisville.edu> <xzpk8l2lul4.fsf@flood.ping.uio.no> <4.2.2.20000121195112.0196a220@localhost> <200001220353.TAA66856@apollo.backplane.com> <4.2.2.20000121210443.01981600@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 21, 2000 at 09:26:39PM -0700, Brett Glass wrote: > At 08:53 PM 1/21/2000 , Matthew Dillon wrote: > > > Brett, it's an interesting rationalization, but it's completely wrong. > > If you think a moment you will find that there are plenty of RST situations > > long after boot. Think of all those dialup connections where people > > turn off their modems before disconnecting, for example. At BEST our > > servers always had a large number of hanging connections from that > > sort of situation. > > This is really a different situation. In this case, the system is acting like > a router. The packet never gets to the TCP level on the host, or shouldn't, > during the call. When the user hangs up, your PPP software might want to > send a bunch of RSTs to shut down the caller's sessions (if it's been > tracking them). Or just do what a router does, and flag the machine > as down. I don't know of any beast that can track down connections of it's dialup interfaces. If you have one of these, I'm really gealous. Seriously now, you can't just stop sending RSTs forever. This creates a lot of problems, while trying to solve just one. Most problems occur when a host gets down for a while, or some dialup user toggles his on/off switch to the modem, causing some other to dial into his old IP, etc. > > As far as port probing goes: So what? Do you think preventing people > > from identifying your machine will make it more secure? > > No, but it'll make it harder to figure out which 'sploits to try. It's the > difference between leaving the door visibly wide open and forcing the > cracker to TRY the door. If I can waste a cracker's time, I want to. Got a point there. But this can be done with simple firewall rules for anyone who's interested in doing it. Both ipfw and ipfilter can be set up to drop without an icmp SYN+FIN packets. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > "Don't let your schooling interfere with your education." [Mark Twain] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000122182801.A30103>