Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-security@g.o
From: Frank Gruellich <frank@...>
Subject: Re: firewall suggestions?
Date: Thu, 8 Jan 2004 17:26:03 +0100
* Benjamin Jury <benjamin.jury@...>  8. Jan 04
> > * Thomas T. Veldhouse <veldy@...>  8. Jan 04
> > > Oliver Schad wrote:
> > > > [DROP or REJECT]
> > > One reason ... it slows down various scans.
> > No, it doesn't.
> If you reject the packet does it not allow you to be used for DOSing a host
> via a spoofed IP?

WTF?  Could you please be more specific, how this could work?  I would
really be interested.

Something like this: $badguy sends a spoofed paket to any host, the host
answers usually with ICMP3/3 to the wrong IP# (the reject).  This host
suddenly receives the message and discards it, as it doesn't belong to
any of it's requests.

I can't see, how to DoS somebody this way.  It binds on attackers side
as much resources as on victims one.  A DDoS with many more hosts,
flooding rejecting filters with pakets of _one_ spoofed IP# (the one of
the victim) could do some damage, but discarding pakets is much less
expensive than sending answers.  For DoSing you have to achieve, that
the victim queuses requests somehow.

I know only one missuse of REJECT:  Look for an idle host with a OS
using predictable (ascending) sequence numbers.  Now you can use this
host to scan another without appearing in its logfiles: constantly
stream the idle host with pakets and record the answers.  Send a SYN
with the IP# of the idle host to the host to be scanned and it will
either answer with SYN/ACK, a ICMP to the idle host or not at all.  The
ICMP will be simply discarded (and isn't of interest anyway), but if the
idle host receives a SYN/ACK without a previous SYN it sends a RST with
current sequence number.  And exactly this sequence number you will miss
in your records.  A little timing and much free time you will find out
open ports.  Happy hacking.

But the disadvanteges of DROP are IMHO still outweighing,
 regards, Frank.
Sigmentation fault

gentoo-security@g.o mailing list

RE: firewall suggestions?
-- Benjamin Jury
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
RE: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.