Re: weird scans from port 80

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 01/20/03


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Mon, 20 Jan 2003 09:34:32 +0100

Tim Haynes wrote:
>
> Kasper Dupont <kasperd@daimi.au.dk> writes:
>
> > Steve Webster wrote:
> >>
> >> Kasper Dupont wrote:
> >> > From RFC 793 page 36:
> >> >
> >> > As a general rule, reset (RST) must be sent whenever a segment arrives
> >> > which apparently is not intended for the current connection.
> >> >
> >>
> >> I'm not going to let a "general" rule determine how I respond to
> >> unauthorised attempts to access my servers.
> >
> > What part of the word must is difficult to understand?
>
> I think the part that doesn't look like "MUST" is easily missed.
>
> In your rather illogical and unhelpful rant here, you totally miss few
> important facts: we are talking *firewalling* here, so "general rule"s may
> very well be said not to apply.

The RFCs still apply. I don't understand why some people think calling a
box a firewall gives them the right to violate the rules.

> Not to mention, the reason for using DROP
> instead of REJECT is that you will know exactly what the other box is doing
> by checking the intervals between packets, whereas with reject -you don't
> know whether your rejection foiled them or they were just emitting a single
> packet to scan you.

What do you want to know, and why? Does your curiosity justify violations
of the TCP RFC? If you want to detect a scan you should rather give the
scanner the expected answers, and not watch the packets arriving on a
single host, but rather all packets entering the network through the
gateway.

>
> It is a basic matter of common sense that
> a) the context-lacking rfc snippet you quote is non-authoritative here;

RFCs are authoritative. And if you need more context read the RFC.

> b) it fails to take individual circumstances and considerations into
> account;

Are you the kind of person thinking that rules only applies to
everybody else except from yourself?

> c) an attempt to regulate others' firewalling policies stinks;

I'm not attempting to regulate anybodys firewall policy. I just
say they must obey the RFC. Firewalls violating the RFC stinks.

> d) a measure such as this that actively mandates shooting yourself in the
> balls as a respsonse to a ddos attept is utterly brainless beaurocracy for
> the sake of it.

If you care about DoS attacks impose a limit on the rate of
packets.

>
> Away with your trollish tripe! Make a useful attempt to answer the OP's
> question or hold your peace.

I have given a very thoroughly description of what I think the
problem is, and what can be done about it. In this case the
solution to the problem is to obey the RFC.

I have a problem seeing the morality in your suggestions about
violating the RFC just to see what your party is going to do
in that case.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);


Relevant Pages

  • Re: Restarting ADSL Connection Problem
    ... >>fragmentation and dropped packets due to fragmentation (or my ... >>through the firewall back to the router. ... accept ICMP unreachable packets from my gateway? ... Will my OBSD server adjust packet payloads as per RFC 1191? ...
    (comp.unix.bsd.openbsd.misc)
  • Re: RFC 919 compliance (broadcasts to 255.255.255.255)
    ... I've noticed that FreeBSD does not by default comply to RFC 919, ... packets with a destination address of 255.255.255.255 properly. ... address should be broadcast to the whole IP subnet of the broadcasting ...
    (freebsd-hackers)
  • Re: weird scans from port 80
    ... > box a firewall gives them the right to violate the rules. ... You've yet to quote any fragment of a relevant RFC. ... >> between packets, whereas with reject -you don't know whether your ... Firewalls violating the RFC stinks. ...
    (comp.os.linux.security)
  • Re: Are tcp/udp/ip packets the same format for windows ce & palm OS?
    ... The protocols are defined in an RFC, and the protocol defines exactly what ... the packets will consist of--therefore the tcpip packets would be almost ... This alias is for newsgroup purposes only. ...
    (microsoft.public.pocketpc.developer.networking)
  • Re: [2.4 PATCH] bugfix: ARP respond on all devices
    ... magic make an entry in the route table to go back out of the NIC with the ... hidden patch is not the desired way to solve the problem, ... You have stated that this is required by some RFC. ... should *be* no incoming packets if arp-filter is on. ...
    (Linux-Kernel)