Security Incidents mailing list archives
Re: Port 113 requests?
From: woods () weird com (Greg A. Woods)
Date: Fri, 7 Dec 2001 14:10:24 -0500 (EST)
[ On Thursday, December 6, 2001 at 16:24:59 (-0800), Crist J . Clark wrote: ]
Subject: Re: Port 113 requests? It's a trade. If you drop the auth attempts silently, you usually then have to wait for the attempts to time out before whatever you did to prompt the auth attempt can proceed. If you send a RST or ICMP-unreachable, you don't have to wait for the time out.
Where's the trade-off? Clearly you don't want to force a time-out wait! Note that returning a TCP RST is the only guaranteed-to-always-work solution. Whether you do that with your firewall, or with the target host itself (eg. by simply not running identd) is mostly irrelevant. TCP/IP stacks might not drop existing connection attempts when an ICMP unreachable (port or host) is received (as doing so could open them up to well timed DoS attacks).
In this case, it's someone's mail server getting the auth connection attempt. Everyone knows where everybody else's mail servers are (receiving hubs have MX records, senders are in the mail headers). Sending RSTs on port 113 is just telling the world that you don't want their auth requests; you are not really giving anything away to an intruder.
Indeed! You're not giving away anything at all by refusing port-113
connections. Any potential attacker will already know far more about
your network than could ever be learned from the fact that some host is
not (or at least appears not to be) running identd!
Note too that if you silently drop port-113 destined packets then the
intruder may actually learn that you're not such a hot-shot firewall
administrator and that may even give them more clues than if you simply
punched a hole through your firewall for all port-113 connections! ;-)
On the other hand accepting port-113 connections and returning a
carefully crafted and encrypted reply (eg. by running pidentd with the
'-C' flag) might actually deter an intruder because doing so might
suggest to them that you're somewhat savvy as to what the IDENT protocol
is really all about and thus you might be more security consious than
they're willing to deal with! ;-)
--
Greg A. Woods
+1 416 218-0098; <gwoods () acm org>; <g.a.woods () ieee org>; <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 113 requests?, (continued)
- Re: Port 113 requests? Ryan Russell (Dec 06)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 07)
- Re: Port 113 requests? Ryan Russell (Dec 07)
- RE: Port 113 requests? Slighter, Tim (Dec 06)
- RE: Port 113 requests? Ryan McDonnell (Dec 07)
- RE: Port 113 requests? Andrew Leonard (Dec 07)
- RE: Port 113 requests? Todd Suiter (Dec 07)
- Re: Port 113 requests? Helmut Springer (Dec 07)
- Re: Port 113 requests? Crist J . Clark (Dec 07)
- Re: Port 113 requests? Greg A. Woods (Dec 07)
- Re: Port 113 requests? Paul Cardon (Dec 07)
- Re: Port 113 requests? Mike Meredith (Dec 07)
- RE: Port 113 requests? Tony Gale (Dec 07)
- Re: Port 113 requests? Florian Weimer (Dec 07)
- Re: Port 113 requests? Alexander Bochmann (Dec 07)
- Re: Port 113 requests? Patrick Patterson (Dec 07)
- Re: Port 113 requests? Paul Gear (Dec 07)
- Thread "Port 113 requests?" Mario van Velzen (Dec 07)
- Re: Port 113 requests? Valdis . Kletnieks (Dec 09)
- RE: Port 113 requests? Chris Keladis (Dec 07)
(Thread continues...)
- Re: Port 113 requests? Ryan Russell (Dec 06)