Dailydave mailing list archives
RE: Sending remote procedure calls through e-mail(RPC-Mail)
From: John Bryson <john.bryson () oit gatech edu>
Date: Wed, 20 Oct 2004 15:33:08 -0400
With a trivial port knocking scheme, I would have to agree. But, I disagree that its easy for a worm to do this, unless your port knocking scheme was trivial like 'hit port 55 then 5'. Imagine a fairly simple port knocking scheme where you dont have listening daemons, but sniff the packets off the wire - require users to hit port 81 then 5 then 5555, in order, and within a small period of time. Then a firewall hole is opened up for that user to services. And assume that you get no response at all from the server until you have completed that. Too many bad attempts from the same Ip and you quit listening to that ip for perhaps 5 min. [I just spent all of 10 minutes thinking up this scheme, so there is a chance that it sucks B^) ] But, how will a worm figure that out? It cant with a simple port scan. It would have to try a lot of combinations, even with this simple scheme. It gets no feedback until it guesses correctly. And if you add authentication to that, I think its fairly worm-proof. However...I have to admit that this doesnt help worm attacks on public services. And it does add some support costs to the organization, which might be the best reason not to use it. (you have to work out a port knocking scheme, maybe write some software, and you might need custom clients or train users) John On Wed, 2004-10-20 at 14:36, Frank Knobbe wrote:
On Wed, 2004-10-20 at 13:26, Maynor, David (ISS Atlanta) wrote:Port knocking is just the latest stop gap for worm activity; it is not a solution or even a speedbump.That is especially true when you consider that port-knocked services are _private_ services -- service you have to "authenticate/knock" to. It doesn't do anything at all for _public_ services like web sites, FTP sites, CVS repositories, mail servers, etc, etc. -Frank ______________________________________________________________________ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
-- John Bryson Technical Services Mgr,OIT,GeorgiaInstitute of Technology (W)404-894-6153 (C)404-229-9247 (P)discontinued "This sort of thing has cropped up before... and it has always been due to human error" - HAL, 2001 A Space Odyssey _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Sending remote procedure calls through e-mail(RPC-Mail) David Maynor (Oct 19)
- <Possible follow-ups>
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Maynor, David (ISS Atlanta) (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) John Bryson (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Florian Weimer (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Sandino Araico Sánchez (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)