Re: weird scans from port 80
From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 01/20/03
- Next message: Steve Webster: "Re: weird scans from port 80"
- Previous message: Kasper Dupont: "Re: weird scans from port 80"
- In reply to: Tim Haynes: "Re: weird scans from port 80"
- Next in thread: Tim Haynes: "Re: weird scans from port 80"
- Reply: Tim Haynes: "Re: weird scans from port 80"
- Reply: Fredderic: "Re: weird scans from port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Kasper Dupont <kasperd@daimi.au.dk> Date: Mon, 20 Jan 2003 09:34:32 +0100
Tim Haynes wrote:
>
> Kasper Dupont <kasperd@daimi.au.dk> writes:
>
> > Steve Webster wrote:
> >>
> >> Kasper Dupont wrote:
> >> > From RFC 793 page 36:
> >> >
> >> > As a general rule, reset (RST) must be sent whenever a segment arrives
> >> > which apparently is not intended for the current connection.
> >> >
> >>
> >> I'm not going to let a "general" rule determine how I respond to
> >> unauthorised attempts to access my servers.
> >
> > What part of the word must is difficult to understand?
>
> I think the part that doesn't look like "MUST" is easily missed.
>
> In your rather illogical and unhelpful rant here, you totally miss few
> important facts: we are talking *firewalling* here, so "general rule"s may
> very well be said not to apply.
The RFCs still apply. I don't understand why some people think calling a
box a firewall gives them the right to violate the rules.
> Not to mention, the reason for using DROP
> instead of REJECT is that you will know exactly what the other box is doing
> by checking the intervals between packets, whereas with reject -you don't
> know whether your rejection foiled them or they were just emitting a single
> packet to scan you.
What do you want to know, and why? Does your curiosity justify violations
of the TCP RFC? If you want to detect a scan you should rather give the
scanner the expected answers, and not watch the packets arriving on a
single host, but rather all packets entering the network through the
gateway.
>
> It is a basic matter of common sense that
> a) the context-lacking rfc snippet you quote is non-authoritative here;
RFCs are authoritative. And if you need more context read the RFC.
> b) it fails to take individual circumstances and considerations into
> account;
Are you the kind of person thinking that rules only applies to
everybody else except from yourself?
> c) an attempt to regulate others' firewalling policies stinks;
I'm not attempting to regulate anybodys firewall policy. I just
say they must obey the RFC. Firewalls violating the RFC stinks.
> d) a measure such as this that actively mandates shooting yourself in the
> balls as a respsonse to a ddos attept is utterly brainless beaurocracy for
> the sake of it.
If you care about DoS attacks impose a limit on the rate of
packets.
>
> Away with your trollish tripe! Make a useful attempt to answer the OP's
> question or hold your peace.
I have given a very thoroughly description of what I think the
problem is, and what can be done about it. In this case the
solution to the problem is to obey the RFC.
I have a problem seeing the morality in your suggestions about
violating the RFC just to see what your party is going to do
in that case.
-- Kasper Dupont -- der bruger for meget tid på usenet. For sending spam use mailto:aaarep@daimi.au.dk for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);
- Next message: Steve Webster: "Re: weird scans from port 80"
- Previous message: Kasper Dupont: "Re: weird scans from port 80"
- In reply to: Tim Haynes: "Re: weird scans from port 80"
- Next in thread: Tim Haynes: "Re: weird scans from port 80"
- Reply: Tim Haynes: "Re: weird scans from port 80"
- Reply: Fredderic: "Re: weird scans from port 80"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
