Re: Scan of TCP 552-554

From: Rodrigo Barbosa (rodrigob_at_suespammers.org)
Date: 07/25/03

Next message: Andreas Östling: "Re: Port 0 packets"

Previous message: Jason Falciola: "Re: www.google.com reference in directory-traversal attack"
In reply to: Frank Knobbe: "Re: Scan of TCP 552-554"
Next in thread: Russell Harding: "Re: Scan of TCP 552-554"
Reply: Russell Harding: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 25 Jul 2003 15:22:53 -0300
To: Incidents <incidents@securityfocus.com>

On Thu, Jul 24, 2003 at 06:10:30PM -0500, Frank Knobbe wrote:
> For example, if you do a TCP scan from port 135 to port 140 on a Windows
> box, and you receive nothing on 135, 136, 137, 138, 139, but a TCP Reset
> on 140, there is a high probability that an admin only put a firewall
> rules in place that simply says 'drop 135-139' to cover the RPC/NetBIOS
> range, but left the system otherwise unprotected, with Windows sending a
> Reset on port 140. (Of course you might want to confirm by 'pinging' a
> couple other closed ports, like port 109 or something).

That is something I have been wondering for a while.
On my firewall, I can set the blockage to either drop the package,
send a tcp-reset back, or an asorted lot of icmp messages.

I figured that sending a tcp-reset would help to hide the firewall. On
the other hand, it would cause extra traffic (which could help a DoS attempt).
Also, sending an icmp-administratively-forbidden message back would be the
'polite' thing to do. After all that, I would what would be the best practice.

On small links, I usually choose to use tcp-reset. After all, it's
pretty easy to do a DoS on those links. And the less information an
would-be-attacker get on my system, the better. On the other hand (3 hands!??!),
the tcp-reset package do carry some information about my host.

So, all in all, I'm a little lost of which is the better option to use.

-- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Be excellent to each other ..." - Bill & Ted (The Wild Stallions)

application/pgp-signature attachment: stored

Next message: Andreas Östling: "Re: Port 0 packets"

Previous message: Jason Falciola: "Re: www.google.com reference in directory-traversal attack"
In reply to: Frank Knobbe: "Re: Scan of TCP 552-554"
Next in thread: Russell Harding: "Re: Scan of TCP 552-554"
Reply: Russell Harding: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Scan of TCP 552-554
... > TCP Reset on 140, there is a high probability that an admin only put a ... I figured that sending a tcp-reset would help to hide the firewall. ... If this was done by everyone you can forget about basic troubleshooting tools such as traceroute of ping. ...
(Incidents)
Re: Scan of TCP 552-554
... When configuring my new firewall, I had this exact thought, and decided ... scanning is much slower when packets are dropped. ... host which responds with RSETs, ... > I figured that sending a tcp-reset would help to hide the firewall. ...
(Incidents)
Re: [fw-wiz] Firewalls that generate new packets..
... if it has the proper syns/acks let it through. ... This is a recipe for DOS disaster of course. ... As Marcus said, no firewall, be it stateless, stateful, proxy, ... I first heard the term "deep packet inspection" around 5 years ...
(Firewall-Wizards)
Re: Ports that are open on a Server
... The server is not an internet server, ... mail server already behind a firewall. ... The DoS that I ...
(microsoft.public.win2000.security)
Re: ICMP pokes holes in firewalls...
... sent out, you could send back 100,000 ICMP messages saying "time exceeded" ... >> I've tried twice and now I have two customers happy of their ... >> unexpensive Linux based firewall. ...
(Bugtraq)