Gentoo Archives: gentoo-security

From: Frank Gruellich <frank@××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 16:33:25
In Reply to: RE: [gentoo-security] firewall suggestions? by Benjamin Jury
* Benjamin Jury <benjamin.jury@××××.com>  8. Jan 04
> > * Thomas T. Veldhouse <veldy@×××××.net> 8. Jan 04 > > > Oliver Schad wrote: > > > > [DROP or REJECT] > > > One reason ... it slows down various scans. > > No, it doesn't. > If you reject the packet does it not allow you to be used for DOSing a host > via a spoofed IP?
WTF? Could you please be more specific, how this could work? I would really be interested. Something like this: $badguy sends a spoofed paket to any host, the host answers usually with ICMP3/3 to the wrong IP# (the reject). This host suddenly receives the message and discards it, as it doesn't belong to any of it's requests. I can't see, how to DoS somebody this way. It binds on attackers side as much resources as on victims one. A DDoS with many more hosts, flooding rejecting filters with pakets of _one_ spoofed IP# (the one of the victim) could do some damage, but discarding pakets is much less expensive than sending answers. For DoSing you have to achieve, that the victim queuses requests somehow. I know only one missuse of REJECT: Look for an idle host with a OS using predictable (ascending) sequence numbers. Now you can use this host to scan another without appearing in its logfiles: constantly stream the idle host with pakets and record the answers. Send a SYN with the IP# of the idle host to the host to be scanned and it will either answer with SYN/ACK, a ICMP to the idle host or not at all. The ICMP will be simply discarded (and isn't of interest anyway), but if the idle host receives a SYN/ACK without a previous SYN it sends a RST with current sequence number. And exactly this sequence number you will miss in your records. A little timing and much free time you will find out open ports. Happy hacking. But the disadvanteges of DROP are IMHO still outweighing, regards, Frank. -- Sigmentation fault -- gentoo-security@g.o mailing list