Security Incidents mailing list archives
Re: TCP port 5000 syn increasing
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 19 May 2004 07:21:08 -0700 (PDT)
Andreas,
I'm waiting for the first worm that tunnels overHTTP port 80, as a numberof protocols already do, to get around firewallsthat only pass 25 and 80. ;) It would have to be "de-tunneled" on the inside to do something useful. Either the network is already compromised, or it exploits something on that specific service.
Excellent point! It's about time something more lucid passed through this list. To be honest, there's way too much hand-waving and too much of a smoke-and-mirrors approach to infosec. It's so easy to say "worm that tunnels into the network over port 80" and get the media (and following the domino effect, the general public) all hyped and spinning out of control. But you're right...it has to be "de-tunnelled" to something, unless it's an exploit against the web server itself - at which point it isn't tunnelling, then, is it? And you know, even this kind of thing is relatively easy to protect against. If you're going to configure your router or firewall in a default deny status, and then allow only specific traffic, why not then just restrict that traffic to specific hosts or ranges? Why allow port 25 into your entire infrastructure, when you've got only one email server? Why not just allow port 25 to the specific host, or to ranges depending upon the size of your infrastructure? --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- Re: TCP port 5000 syn increasing, (continued)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- Re: TCP port 5000 syn increasing Bob (May 20)