[ previous ] [ next ] [ threads ]
 From:  "Norman H. Azadian" <norman at azadian dot ch>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Reject or Deny?
 Date:  Tue, 28 Jun 2005 09:48:33 +0200
Right, he makes the point about limited usefulness of the obfuscation with:

> How do i make myself invisible?
>     In order to be invisible simply respond with "ICMP - Host/Network unreachable" with the
address of your nearest router to every incoming package.
>     Note: No answer is the same as answering "I'm here and fine.". If you are not there another
system will respond with "He's not there". This other system is the nearest router, located at your
provider. And if it do so, you weren't connected to the internet. 

So it seems the only advantage of stealth mode is to slow down scanners by 
about a factor of 3.  The disadvantage is that I can't ping my domain to 
see if anybody's home.  Obviously there are other ways to tell, but none 
quite as handy as the ping.

Norman H. Azadian    Taegerishalde 13    CH-3110 Muensingen    Switzerland
norman at azadian dot ch      tel: +41 31 721 7855      fax: +41 31 55 898 55

Chris Buechler wrote:
> On 6/27/05, Norman H. Azadian <norman at azadian dot ch> wrote:
>>Here's a quote from the de.comp.security.firewall FAQ:
>>Administrators who bother about script kiddies sometimes believe that they can > stop them with
DENY. This is wrong. It's possible to start several thousand 
>>scans at once and therefore to wait for all timeouts at once.  A scanner wont 
>>slow down because of this. 
> umm...  Of course it'll slow it down.  It has to wait for timeouts
> rather than immediately knowing the ports are closed.  In a quick and
> dirty test over the Internet, it was 18 seconds for reject vs. 51
> seconds for deny on a single IP.  If you launch 10,000 simultaneous
> port scans (assuming you have the bandwidth to do so), it's still
> going to take roughly 18 seconds if you're using reject, 51 seconds
> for deny, for all 10,000.
> Does it have a profound affect on script kiddies?  Not really, but
> that's not why you do it.  Any firewall should be (IMO) completely
> stealth by default, invisible from anyone probing the Internet.  You
> shouldn't have to lock down your firewall after installing it to be as
> secure to incoming hits as possible.  This does violate RFC's, but who
> cares...  IIRC only ones written long before the Internet was a
> dangerous place.
>>On the other side you slow down all legitimate users and services. Specifically 
>>the IDENT requests.
> Not *all* legit users and services.  Only ones trying to get to ports
> that aren't allowed, which isn't going to be legit traffic virtually
> always anyway.  If you're doing egress filtering, you should use
> reject so your users don't have to sit there and wait for a connection
> to time out if it's dropped.
> And the only thing I know of that sends out ident requests anymore is IRC.  
>>The ident services gives the administrator of a neat system a help for identifying > misbehaving
users. DENY has the consequence that this help isn't recorded at 
>>other servers. Do you want to hide spammers and script kiddies please use 
> Hah.  By that methodology if you aren't running an ident daemon you're
> also contributing to the decline of the Internet...  umm, ok.  When
> was this written, a decade ago?  Virtually nobody runs ident anymore,
> other than some IRC users.
> If you want to be polite, sure, use reject.  But the Internet hasn't
> been a polite place for quite some time.  And virtually everyone
> you're being polite to is people trying to attack you, or worm
> infected hosts.  Is anyone ever going to accidentally try to connect
> to your public IP space on services you don't run?  Extremely
> doubtful.  I'll leave my firewalls at deny.
> On the flip side, does that bit of obfuscation really buy you much? 
> Not really.  If you have ports open, they're going to find them either
> way, and if you don't, it's not giving them much of anything to know
> there's actually a host alive there vs. no host there.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch