Re: Scan of TCP 552-554

From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: 07/28/03

  • Next message: Rodrigo Barbosa: "Re: Scan of TCP 552-554" 
    To: Rodrigo Barbosa <rodrigob@suespammers.org>
Date: 28 Jul 2003 15:49:26 -0500

    On Mon, 2003-07-28 at 12:54, Rodrigo Barbosa wrote:
    > My reasoning is that you have to trust your firewall. Sooner or later, the
    > atacker will bruteforce it. So, the longer it takes for the
    > attacker to understand there is a firewall there, the better. That is
    > why I'm considering using tcp-reset. This way, the attacker will hit
    > the traps faster. Maybe even same traps that will block his attack
    > entirely.

    Sure, everything can be figured out over time. To answer your question,
    personally I drop everything silently on the firewall (like Russel) on
    the outside interface. On the inside interface I prefer to send a
    TCP-Reset so that internal devices get on with their business and don't
    hang in timeout states. Keep in mind that my policy (just like yours I
    hope) takes a "deny all, allow required" stance. Firewalls that allow
    all and filter out certain port ranges may be better off with TCP-RST
    while deny-all firewalls may be better off with silent drops.

    I don't think you will always be able to completely hide a system though
    (especially when it serves a purpose, like email ;)
    However, a thought just came to mind. Would it be better (from a
    cover-up point of view) to have the firewall send a spoofed
    ICMP-Host-Unreachable packet with the routers IP address? :)

    Cheers,
    Frank

  • Next message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"

    Relevant Pages

    • RE: Is this as bad as it seems?
      ... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
      (Security-Basics)
    • [NEWS] Multiple Firewalls Ruleset Bypass through FTP Revisited
      ... a new attack method affected most leading firewall ... connect to a restrictive port. ... resend control strings supplied by the attacker that a vulnerable firewall ... Connect to FTP server and log on ...
      (Securiteam)
    • [VulnWatch] vulnerabilities in fortigate firewall webinterface
      ... Several vulnerabilities in web interface of Fortigate firewall of which ... attacker to obtain a username and password of the Fortigate. ... Username and MD5 hash of password are stored in cookie. ... WEB FILTER LOG PARSES UNFILTERED SESSION DETAILS ...
      (VulnWatch)
    • [Full-Disclosure] vulnerabilities in fortigate firewall webinterface
      ... Several vulnerabilities in web interface of Fortigate firewall of which ... attacker to obtain a username and password of the Fortigate. ... Username and MD5 hash of password are stored in cookie. ... WEB FILTER LOG PARSES UNFILTERED SESSION DETAILS ...
      (Full-Disclosure)
    • Next-hop scanning for open firewall ports
      ... a router after the firewall, ... Given a target computer protected by a firewall, ... where it's beneficial to push the filtering as far ... R1 will send back ICMP expired messages, but the attacker won't ...
      (Bugtraq)