From: Tim (tim-pentest@sentinelchicken.org)
Date: Sat Apr 07 2007 - 08:04:40 EDT
> My research was specifically focused on information leakage through TCP
> port scanning. After modeling the various scenarios (SYN stealth
> scanning, spoofed SYNs, spoofed SYNs through an idle scan, etc), I found
> that the best strategy for the defender is to always return a RST on
> blocked ports. This is because it will eliminate the attacker's ability
> to use an idle scan to obtain port information without giving away her
> IP address.
>
> Keep in mind, that you must be very careful about how the RSTs are sent
> back, and this isn't the only consideration. Also, this applies only to
> TCP since idle scans are generally a TCP-only attack. Food for thought
> though.
Correction here. I meant to say you should always return a SYN/ACK to
blocked ports, if you want to eliminate idle scans. This is a form of
tarpitting. In order for an attacker to truly determine if there's a
service on that port, they would have to give up their IP address which
is much more valuable information.
tim
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT