Dailydave mailing list archives
RE: Sending remote procedure calls through e-mail(RPC-Mail)
From: "Maynor, David (ISS Atlanta)" <dmaynor () iss net>
Date: Wed, 20 Oct 2004 14:26:13 -0400
Port knocking, by definition has to stick to a certain range of ports. If you start eliminating ports it can't use you are left with a very simple problem of writing a quick port scan engine for you worm and have it try any of the ports in the range that it finds. This provides a great starting place for a worm to defeat port knocking. Port knocking is just the latest stop gap for worm activity; it is not a solution or even a speedbump. The reason this isn't done is nobody really uses port knocking. I haven't really met a single person yet that is convinced that port knocking call deliver on the promises made. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of John Bryson Sent: Wednesday, October 20, 2004 2:08 PM To: dailydave () lists immunitysec com Subject: Re: [Dailydave] Sending remote procedure calls through e-mail(RPC-Mail) On Wed, 2004-10-20 at 09:57, Paul Wouters wrote:
On Wed, 20 Oct 2004, John Bryson wrote:Yes, but wouldnt port knocking stop a lot of automated attacks?And add a DDOS one? A new worm will just portknock some common
examples
and keep knocking until the silly portknock code will automaticly
disable
port knocking. At least, the portknocking code I looked at for a few minutes a while ago was stupid enough to have this 'protection'
against
brute force port knocking. And instead of trying it once, it will keep trying to break in, wasting more resources then if it tried once and
saw
it didn't work.
Part of the point is that worms _dont_ do this. So you would get immediate immunity from all kinds of old malware, and some new malware. Yes, in theory a worm writer could try to do this. But they dont. And even if they tried to, Im not convinced they could make any general worm that would be effective. You will have raised the bar for automated attacks. Which port should the worm direct packets to? It doesnt know. It cant know ahead of time. And each site would be different, so how does the worm spread effectively. Thats part of the point. So yes, a worm could try some simple common stuff (if there emerge some common schemes) but in any decent port knocking scheme you can just ignore it. And doing a dos would be very difficult, if it isnt self-inflicted.
port knocking is stupid. If you want to protect your host, only allow
SSH
through IPsec. Then you only need to be aware of the IKE daemon
running
on that host (and any other public service this machine should perform
to
non-authenticated users)
if you want to knock, use an authenticated knock, not morse code. We
didn't
invent computers for nothing.
I agree that an authenticated knocking scheme is a better way to go. You'll notice that I didnt suggest morse code.
Paul
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Sending remote procedure calls through e-mail(RPC-Mail) David Maynor (Oct 19)
- <Possible follow-ups>
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Maynor, David (ISS Atlanta) (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) John Bryson (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Florian Weimer (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Sandino Araico Sánchez (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)