Dailydave mailing list archives
Re: Sending remote procedure calls through e-mail (RPC-Mail)
From: John Bryson <john.bryson () oit gatech edu>
Date: Wed, 20 Oct 2004 14:07:37 -0400
On Wed, 2004-10-20 at 09:57, Paul Wouters wrote:
On Wed, 20 Oct 2004, John Bryson wrote:Yes, but wouldnt port knocking stop a lot of automated attacks?And add a DDOS one? A new worm will just portknock some common examples and keep knocking until the silly portknock code will automaticly disable port knocking. At least, the portknocking code I looked at for a few minutes a while ago was stupid enough to have this 'protection' against brute force port knocking. And instead of trying it once, it will keep trying to break in, wasting more resources then if it tried once and saw it didn't work.
Part of the point is that worms _dont_ do this. So you would get immediate immunity from all kinds of old malware, and some new malware. Yes, in theory a worm writer could try to do this. But they dont. And even if they tried to, Im not convinced they could make any general worm that would be effective. You will have raised the bar for automated attacks. Which port should the worm direct packets to? It doesnt know. It cant know ahead of time. And each site would be different, so how does the worm spread effectively. Thats part of the point. So yes, a worm could try some simple common stuff (if there emerge some common schemes) but in any decent port knocking scheme you can just ignore it. And doing a dos would be very difficult, if it isnt self-inflicted.
port knocking is stupid. If you want to protect your host, only allow SSH through IPsec. Then you only need to be aware of the IKE daemon running on that host (and any other public service this machine should perform to non-authenticated users)
if you want to knock, use an authenticated knock, not morse code. We didn't invent computers for nothing.
I agree that an authenticated knocking scheme is a better way to go. You'll notice that I didnt suggest morse code.
Paul
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Sending remote procedure calls through e-mail (RPC-Mail), (continued)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) David Maynor (Oct 19)
- Message not available
- Fwd: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Kurt Seifried (Oct 19)
- Fwd: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Cristiano Lincoln Mattos (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Frank Knobbe (Oct 19)
- 'pr0jekt MAYHeM -- "~el8 team"' in full effect on the Daily Dave, etc =) robert (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Chris Kuethe (Oct 19)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Peter Busser (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) Paul Wouters (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)
- Re: Sending remote procedure calls through e-mail (RPC-Mail) John Bryson (Oct 20)