Re: Stealth vs. Blocked
From: Whoever (nobody@devnull.none)
Date: 04/12/03
- Next message: Me: "Re: My Security/Hacker/Internet book is almost ready"
- Previous message: WyldeRover: "Re: Stealth vs. Blocked"
- In reply to: Joseph V. Morris: "Re: Stealth vs. Blocked"
- Next in thread: David: "Re: Stealth vs. Blocked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Whoever <nobody@devnull.none> Date: Sat, 12 Apr 2003 00:44:48 GMT
On Fri, 11 Apr 2003, Joseph V. Morris wrote:
> Are you guys jiving us? I've never seen a probe on UDP 7 as far as I can
> recall in the past three years. In the last 70 days, www.incidents.org
> shows an absolute (and exceptional) level of 271 targets probed on 10 Feb.
> The next highest total is 48 -- and that's today (interestingly).
Just because you have not seen it happen does not mean that it has not
happened.
I have seen it happen -- albeit only once, but it was a massive attack. It
is possible that I have not seen it happen again because I have prevented
the network from being used as a fraggle amplifier.
Once is enough as rationale for dropping incoming packets to udp/7. I have
to assume that if it happened once, it *may* happen again.
I guess that with iptables, one could do it in a smarter fashion -- by
limiting echo packets to a very low rate, rather than dropping them
entirely.
And *I* never stated that I was trying to hide the existance of the
machines by "stealthing" ports -- just to prevent their use as fraggle or
smurf amplifiers.
- Next message: Me: "Re: My Security/Hacker/Internet book is almost ready"
- Previous message: WyldeRover: "Re: Stealth vs. Blocked"
- In reply to: Joseph V. Morris: "Re: Stealth vs. Blocked"
- Next in thread: David: "Re: Stealth vs. Blocked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
