RE: Intrusion prevention and dDos protection

[Frank Knobbe <frank () knobbe us>]

On Tue, 2003-08-26 at 10:31, Rob Shein wrote:
> I don't understand how the cloaking would work.  It would seem to me that a
> firewall that drops all inbound packets that are not part of an existing
> connection is as invisible as a system that isn't online...

The cloaking is nothing else but sending an SYN-ACK back instead of a
silent drop. In other words, your TCP 3 way establishes a connection,
but nothing else is happening (no tar-pitting etc). When you scan a box
it should report that all ports are open. Now you are left to banner
grab all ports to see what port is actually a real service and what port
is not.

The concept is been kicked around for year. Some company is marketing as
their 'cloaking' architecture (probably an expensive product :). LaBrea
is similar, but acts only on unused IP's and keeps the connection alive.
A cloak works more on a port basis than IP basis.

I was thinking of hacking ipfilter so that an option 'cloak' would be
available, which does nothing else but doing the 3-way and move on. My
plan was to copy the routine from block-rst and just change the RST to a
SYN-ACK. Unfortunately I have found the time for it... :(

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part