Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DROP or REJECT that is the question...

From: Tim <tim-pentest () sentinelchicken org>
Date: Sat, 7 Apr 2007 08:04:40 -0400
My research was specifically focused on information leakage through TCP
port scanning.  After modeling the various scenarios (SYN stealth
scanning, spoofed SYNs, spoofed SYNs through an idle scan, etc), I found
that the best strategy for the defender is to always return a RST on
blocked ports.  This is because it will eliminate the attacker's ability
to use an idle scan to obtain port information without giving away her
IP address.

Keep in mind, that you must be very careful about how the RSTs are sent
back, and this isn't the only consideration.  Also, this applies only to
TCP since idle scans are generally a TCP-only attack.  Food for thought
though.


Correction here.  I meant to say you should always return a SYN/ACK to
blocked ports, if you want to eliminate idle scans.  This is a form of
tarpitting.  In order for an attacker to truly determine if there's a
service on that port, they would have to give up their IP address which
is much more valuable information.

tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: