RE: Intrusion prevention and dDos protection

From: Frank Knobbe (frank_at_knobbe.us)
Date: 08/27/03

  • Next message: Scott Wimer: "Re: Top IPS vendors - please read for invitation to Network World review." 
    To: Rob Shein <shoten@starpower.net>
Date: Wed, 27 Aug 2003 14:07:38 -0500

    On Tue, 2003-08-26 at 10:31, Rob Shein wrote:
    > I don't understand how the cloaking would work. It would seem to me that a
    > firewall that drops all inbound packets that are not part of an existing
    > connection is as invisible as a system that isn't online...

    The cloaking is nothing else but sending an SYN-ACK back instead of a
    silent drop. In other words, your TCP 3 way establishes a connection,
    but nothing else is happening (no tar-pitting etc). When you scan a box
    it should report that all ports are open. Now you are left to banner
    grab all ports to see what port is actually a real service and what port
    is not.

    The concept is been kicked around for year. Some company is marketing as
    their 'cloaking' architecture (probably an expensive product :). LaBrea
    is similar, but acts only on unused IP's and keeps the connection alive.
    A cloak works more on a port basis than IP basis.

    I was thinking of hacking ipfilter so that an option 'cloak' would be
    available, which does nothing else but doing the 3-way and move on. My
    plan was to copy the routine from block-rst and just change the RST to a
    SYN-ACK. Unfortunately I have found the time for it... :(

    Cheers,
    Frank

  • Next message: Scott Wimer: "Re: Top IPS vendors - please read for invitation to Network World review."

    Relevant Pages

    • Re: Correction
      ... Normally to physically disconnect is just a matter of reaching for the ... >> I have an ADSL connection which polls my computer from time to time, ... > disallow each and every port with Windows Firewall? ...
      (microsoft.public.windowsxp.messenger)
    • Re: Using Remote Desktop From an SBS Domain
      ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
      (microsoft.public.windows.server.sbs)
    • Re: Still cant connect to RWW or OWA remotely
      ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
      (microsoft.public.windows.server.sbs)
    • Re: Still cant connect to RWW or OWA remotely
      ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
      (microsoft.public.windows.server.sbs)
    • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
      ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
      (Incidents)