Re: block_ssh_guessers

On Wed, 26 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2006.04.26.14.52.58.349068@xxxxxxxxxxxxxx>, sudo namei wrote:

[Your post is referring to my article, but the substance doesn't seem
to relate to the contents. Not quoting what you are writing about makes
it hard to follow.]

I suppose it would be theoretically possible to attempt to overwhelm the
port knocking daemon by sheer volume - say, an aggressive port scan that
just didn't quit. It is remotely conceivable that *some* unpleasant
behavior might result if you simply banged on every door incessantly.

It's more likely to be a problem with the firewall or network stack. It
obviously depends on how you implement the port-knocking daemon, but it's
only interested in the fact that the "knock" occurred - normally not what
might be in the packet (which after all is only going to be a SYN in most
cases), or how many times the knock occurred. Depending on the paranoia
level, the daemon may want to block access if the knocking host tries
ports OTHER THAN the expected ones in the sequence As I stated, you don't
want to make things to complex, as that is a good way to shoot yourself in
the foot.

However, it seems highly unlikely that this would result in any sort of
information disclosure or "exploit." Far more likely to result in a DOS
due to, for example, the logs using up all available disk space.

You're assuming the logs are written to disk. They don't have to be. In
fact, logging "I blocked this - ain't I a good firewall" to disk is
_usually_ a waste of time, CPU cycles, disk-space and bandwidth.

But a DOS while annoying, wouldn't disclose anything interesting

Bingo

not to mention, if the victim of such an attack is even remotely competent,
the attempt should have been noticed and responded to in SOME measure long
before disk space became an issue.

A lot depends on the mechanism of the attack. Example: windoze messenger
spam - UDP packets to ports 1025-1035 typically, sized between 250 and 1400
octets, flogging some wankers product (usually a "fix your windoze registry"
application). Several years ago, we noted this as a huge waste of bandwidth
and because the entire spam is in a single UDP packet, the spammers were
usually using spoofed IP addresses. Sending an ICMP error, or RST is a
waste of bandwidth - the "advertisement" has been delivered, and the ICMP
or RST packet is likely to go to some innocent victim. Our solution was
to use port-shifting to move _outbound_ UDP (almost always DNS queries)
out of the source range of (say) 1025 to 1050, to some higher numbers.
Thus, there should never be any legitimate packets _inbound_ to those
ports - allowing our upstream to silently drop all inbound in that range.
Last time I bothered looking at this, I was seeing _roughly_ a thousand
messages per day per IP address - about a half Megabyte. Scale that to a
/16, and it becomes a chunk of change for bandwidth you can spend paying
for the boxes that do the filtering and port shifting.

Old guy
.

Relevant Pages

  • Re: about installing ntop
    ... lot more bandwidth. ... switch as cheap as possible it might be even more. ... where the packet coming in on port 1 is going until it sees the first six ... bytes of the packet. ...
    (comp.os.linux.networking)
  • Re: block_ssh_guessers
    ... port knocking daemon by sheer volume - say, ... obviously depends on how you implement the port-knocking daemon, ... might be in the packet (which after all is only going to be a SYN in most ... due to, for example, the logs using up all available disk space. ...
    (comp.os.linux.security)
  • Re: Need help with bandwidth management . . .
    ... The bandwidth managements is much better in v24 than in v23: ... QoS lan port settings, and I cannot get anything consistent. ... it common practice on their home connections. ... first one in my opinion is bandwidth management. ...
    (alt.internet.wireless)
  • PATCH: Remove file riowinif.h from rio driver (unused file)
    ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ... - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure is same as OPEN. ... - of the specified port's RTA address space. ...
    (Linux-Kernel)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)