AW: [Dshield] firewall policy recomendations

Johannes Ullrich jullrich at sans.org
Fri May 31 13:53:50 GMT 2002


> Some of us don't even have a partial T1 and run on a minimum budget so
> we don't want to waste our resources just to annoy hackers who
> obviously has lot's of time to waste anyway..........

There are a couple of different ways one can respond to a probe
on a closed port:

- send a RST.
  This is the default for most TCP/IP stacks. It tells the
  source of the probe that the port is closed and allows it
  to move on most efficiently. 
  Total packets: 2 ( 1 SYN received, 1 RST sent) 


- do nothing ('drop').
  Essentially the same thing as not having a device connected
  to this IP address. Most firewalls implement this by default.
  Sometimes this is called 'stealth mode'. 
  Many TCP/IP stacks will retry 2 or 3 times if they don't get
  a response and eventually time out.
  Total packets: 1-3 ( all SYN received. Exact number depends
  on scan tool / tcp/ip stack of source)

- tarpitting
  probably best explained by
  http://www.hackbusters.net/LaBrea/LaBrea.txt
  There are a number of different ways of doing this using more
  or less bandwidth. The most simple form will just send a
  SYN ACK to make the connection 'established'. In this mode,
  the scanner will send an 'ACK', adding to a total of 
  3 packets. 

  The more sophisticated tarpitting is playing games with the
  scanner by exchanging window size probes to prevent the 
  attacker from timing out. According to Tom Liston, this will
  take about 1215 bytes/hour (2.7 bps) for each connection form a 
  windows machine. The exact bandwidth depends on the operating 
  systems involved, but is not significantly different.

So either way, resource requirements are small.


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection         
                                     join http://www.dshield.org




More information about the list mailing list