Re: highly secure live CD distro
From: Michael Zawrotny (zawrotny_at_sb.fsu.edu)
Date: 02/23/05
- Next message: Julia Thorne: "Re: Best security configuration and Hosting service question"
- Previous message: Moe Trin: "Re: Newbie can't log into his own wu-ftpd server..."
- In reply to: Moe Trin: "Re: highly secure live CD distro"
- Next in thread: Moe Trin: "Re: highly secure live CD distro"
- Reply: Moe Trin: "Re: highly secure live CD distro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 23 Feb 2005 22:01:30 GMT
Moe Trin <ibuprofin@painkiller.example.tld> wrote:
> Michael Zawrotny wrote:
>
> >DROPing saves the outgoing packets, but is not compliant with the
> >various RFCs, and therefore technically results in a host with
> >"broken" networking.
>
> It also triples the amount of wasted inbound packets. TCP/IP works
> on making an unreliable connection reliable. It does this by
> retrying to send packets that appear to have fallen through the
> cracks in the cloud.
Good point, I hadn't thought of that. On the other hand how much
unsolicited incoming traffic should a home user expect?
I don't know how the worms or exploit kits work, but I just tried
a single port (without ping) nmap run from my workstation to my
laptop (nmap -P0 -p 22 laptop) and tcpdump only reported two SYN
packets sent. So for nmap at least, it's a toss-up: one incoming and
one outgoing icmp versus two incoming.
> I've heard that some consumer grade firewalls (read windoze personal garbage)
> have suggested sending a 3/1 back as a smoke screen. This neglects the rather
> obvious fact that the source address in the ICMP packet is the original
> destination... but no one would notice that, right? ;-)
Nobody but us I guess.
> >That is why I suggested DROP for the OP. For a different situation, I
> >would have said REJECT.
>
> Some windoze worms try a ping (ICMP 8) first, to see if the host is up
> before they try to connect via TCP. However, this may just be one of the
> thousands of different windoze worm kits.
Right, but the question then becomes whether or not the worm skips
non-pingable hosts. If it skips them, there is no additional cost
in dropping ping packets. If you don't want to be pinged you can't
send a host-unreachable as we agreed above (unless you are upstream).
Mike
-- Michael Zawrotny Institute of Molecular Biophysics Florida State University | email: zawrotny@sb.fsu.edu Tallahassee, FL 32306-4380 | phone: (850) 644-0069
- Next message: Julia Thorne: "Re: Best security configuration and Hosting service question"
- Previous message: Moe Trin: "Re: Newbie can't log into his own wu-ftpd server..."
- In reply to: Moe Trin: "Re: highly secure live CD distro"
- Next in thread: Moe Trin: "Re: highly secure live CD distro"
- Reply: Moe Trin: "Re: highly secure live CD distro"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
