Re: Scan of TCP 552-554

From: Rodrigo Barbosa (rodrigob_at_suespammers.org)
Date: 07/25/03

  • Next message: Andreas Ístling: "Re: Port 0 packets"
    Date: Fri, 25 Jul 2003 15:22:53 -0300
    To: Incidents <incidents@securityfocus.com>
    
    
    

    On Thu, Jul 24, 2003 at 06:10:30PM -0500, Frank Knobbe wrote:
    > For example, if you do a TCP scan from port 135 to port 140 on a Windows
    > box, and you receive nothing on 135, 136, 137, 138, 139, but a TCP Reset
    > on 140, there is a high probability that an admin only put a firewall
    > rules in place that simply says 'drop 135-139' to cover the RPC/NetBIOS
    > range, but left the system otherwise unprotected, with Windows sending a
    > Reset on port 140. (Of course you might want to confirm by 'pinging' a
    > couple other closed ports, like port 109 or something).

    That is something I have been wondering for a while.
    On my firewall, I can set the blockage to either drop the package,
    send a tcp-reset back, or an asorted lot of icmp messages.

    I figured that sending a tcp-reset would help to hide the firewall. On
    the other hand, it would cause extra traffic (which could help a DoS attempt).
    Also, sending an icmp-administratively-forbidden message back would be the
    'polite' thing to do. After all that, I would what would be the best practice.

    On small links, I usually choose to use tcp-reset. After all, it's
    pretty easy to do a DoS on those links. And the less information an
    would-be-attacker get on my system, the better. On the other hand (3 hands!??!),
    the tcp-reset package do carry some information about my host.

    So, all in all, I'm a little lost of which is the better option to use.

    -- 
    Rodrigo Barbosa <rodrigob@suespammers.org>
    "Be excellent to each other ..." - Bill & Ted (The Wild Stallions)
    
    



  • Next message: Andreas Ístling: "Re: Port 0 packets"

    Relevant Pages

    • RE: Scan of TCP 552-554
      ... > TCP Reset on 140, there is a high probability that an admin only put a ... I figured that sending a tcp-reset would help to hide the firewall. ... If this was done by everyone you can forget about basic troubleshooting tools such as traceroute of ping. ...
      (Incidents)
    • Re: Scan of TCP 552-554
      ... When configuring my new firewall, I had this exact thought, and decided ... scanning is much slower when packets are dropped. ... host which responds with RSETs, ... > I figured that sending a tcp-reset would help to hide the firewall. ...
      (Incidents)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... if it has the proper syns/acks let it through. ... This is a recipe for DOS disaster of course. ... As Marcus said, no firewall, be it stateless, stateful, proxy, ... I first heard the term "deep packet inspection" around 5 years ...
      (Firewall-Wizards)
    • Re: Ports that are open on a Server
      ... The server is not an internet server, ... mail server already behind a firewall. ... The DoS that I ...
      (microsoft.public.win2000.security)
    • Re: ICMP pokes holes in firewalls...
      ... sent out, you could send back 100,000 ICMP messages saying "time exceeded" ... >> I've tried twice and now I have two customers happy of their ... >> unexpensive Linux based firewall. ...
      (Bugtraq)