RE: Sending remote procedure calls through e-mail(RPC-Mail)

["Maynor, David (ISS Atlanta)" <dmaynor () iss net>]

Port knocking, by definition has to stick to a certain range of ports.
If you start eliminating ports it can't use you are left with a very
simple problem of writing a quick port scan engine for you worm and have
it try any of the ports in the range that it finds. This provides a
great starting place for a worm to defeat port knocking. Port knocking
is just the latest stop gap for worm activity; it is not a solution or
even a speedbump.

The reason this isn't done is nobody really uses port knocking. I
haven't really met a single person yet that is convinced that port
knocking call deliver on the promises made. 

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of John
Bryson
Sent: Wednesday, October 20, 2004 2:08 PM
To: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Sending remote procedure calls through
e-mail(RPC-Mail)

On Wed, 2004-10-20 at 09:57, Paul Wouters wrote:
> On Wed, 20 Oct 2004, John Bryson wrote:
>
> > Yes, but wouldnt port knocking stop a lot of automated attacks?
>
> And add a DDOS one? A new worm will just portknock some common
examples
> and keep knocking until the silly portknock code will automaticly
disable
> port knocking. At least, the portknocking code I looked at for a few
> minutes a while ago was stupid enough to have this 'protection'
against
> brute force port knocking. And instead of trying it once, it will keep
> trying to break in, wasting more resources then if it tried once and
saw
> it didn't work.

Part of the point is that worms _dont_ do this. So you would get
immediate immunity from all kinds of old malware, and some new malware.
Yes, in theory a worm writer could try to do this. But they dont. And
even if they tried to, Im not convinced they could make any general worm
that would be effective. You will have raised the bar for automated
attacks.

Which port should the worm direct packets to? It doesnt know. It cant
know ahead of time. And each site would be different, so how does the
worm spread effectively. Thats part of the point. So yes, a worm could
try some simple common stuff (if there emerge some common schemes) but
in any decent port knocking scheme you can just ignore it. And doing a
dos would be very difficult, if it isnt self-inflicted.

> port knocking is stupid. If you want to protect your host, only allow
SSH
> through IPsec. Then you only need to be aware of the IKE daemon
running
> on that host (and any other public service this machine should perform
to
> non-authenticated users)

> if you want to knock, use an authenticated knock, not morse code. We
didn't
> invent computers for nothing.

I agree that an authenticated knocking scheme is a better way to go.
You'll notice that I didnt suggest morse code.

> Paul


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave