Same here, I block all ICMP with the WatchGuard for my home network. I also have Blackice block all ICMP with this laptop while in the hotel room using dial up. I have never had a problem blocking all ICMP.
Duane :)
I do realise that. I was hoping you might know of one ?
On Tue, 29 Aug 2006 21:17:23 GMT, Leythos spoketh
Although I rarely disagree with you, there's a difference between "what works" and "what works", and I will elaborate.
Simply dropping unsolicited connections works. It may not break anything for you and many other, and everything may seem just fine and dandy. And that's ok
"Stealth" does not work. Dropping packets (tcp/udp/icmp) for the purpose of being "invisible on the internet", as per Gibsons definition, does not work.
So, if you want to drop connections, that's your choice. It doesn't make you more secure, it doesn't make you invisible, but it works.
Lars M. Hansen
If you notice, I've never claimed that stealth was/was not good, and I have only said that I block all ICMP and do it without a problem.
I do not consider "Stealth" to be of any benefit in security, but I do consider that blocking all unnecessary items to be necessary for proper security. ICMP is not necessary, and it's blocked by default when we setup a network.
Been there already.
I don't claim to know everything but I have been doing this for a really long time and I have seen all sorts claiming all sorts.
Last year I was in a CISSP class and the instructor who I originally thought was OK turned out to be a moron. He and I got into an email debate about encryption key lengths and it became clear to me he really had no idea what he was talking about. I told our corporate people to never ever hire this guy for a class again
I read RFC's I know some people who have their names on RFC's. Big deal, vendors often do not adhere to the RFC's at all. My specialty is IPSec and this was a nightmare of incompatibility several years back (been to IPSec bake offs) because of companies not doing what the RFC said and mostly, they didn't care.
I agree, ignore my comments, I really don't care. I was only trying to point out how things are done in the corporate world of big firewalls and big networks. My home net is designed just like our corporate net. There is no good reason to respond to unsolicited packets, do so if you want, I don't.
Agree 100%.
You just don't understand TCP, and you seem not to understand IP and ICMP at all. This seems to be the reason for your opinion. "Nomen", really, please read the mentioned RFCs and try to understand. It's not too difficult, you probably will manage to understand.
This is wrong. And: don't "believe", we're talking about facts, please have a look at them after all now.
It's useless nonsense, and it just violates protocols without having any advantage.
Yours, VB.
Well, do you think you can manipulate your ISP's router like this remotely, or get a technican to do so? Well, only with blatantly misconfigured routers like at AOL's...
To briefly summarize the argument:
What INFORMATION do you want the potential intruder to have? Response or none-response both provide information because the default configuration is TO respond. The absence of a response itself implies the existence of a protected service.
What about misinformation instead?
I've considered writing a tool to provide bogus responses to port scans for some time. If broadly implimented it could make the public Internet a significantly more dangerous place for crackers. Network scans are like tracer bullets: they point both ways.
So it would be easy to respond to a SYN on an unused port with an ACK bogusly sourced from a network owned by... a three lettered agency for example. The assumption being that most scanning tools are just crafting packets, not actually building sockets, so they are just creating a list of exposed ports with no native ability to correlate sent and recieved packets.
Such a system if broadly adopted could easily be expanded to provide investigators a whole variety of information. You could even coordinate responses by doing a DNS lookup before crafting the reply packets.
Evil -> Server -> DNS Evil
Please don't do so. The net is b0rken enough, we don't need more protocol violations.
There is no harm from port scanning.
Yours, VB.
Yep the Internet is busted. Such is the nature of distributed development. As long as things work at the consumer level, the money flows and only geeks notice that everything is broken.
RFC's are based on the assumption that users _want_ interoperability. Their authority is based completely on that assumption. A scanner is not compliant with the protocol specifications it scans to detect, so whats the harm in the response being non-rfc-compliant as well?
Of course most RFC's are damned loose anyway. Using an RFC as a development guide in _no_ way guarantees reliability or interoperability. It might get you close, but only testing will make your bugs get along with their bugs correctly. I've submitted a draft to the IETF for an unrelated protocol, and If I remember correctly all you need for a draft to become an RFC is TWO interoperable code bases, and I doubt even that is substantially verified. Protocol compatability is not neccessarily the same as RFC compliance. It could just mean the RFC sucked to begin with.
I have to disagree. Scans make my firewall logs bigger, which means it takes more time to audit them. If there were less hackers, there would be less scans, and less of my time would be spent chasing anomolies. That is a quantifyable budgetary expense incured by me, because of them.
While I may be protected, a scan often indicates that _somebody_ is going to get attacked. Consequently it is my duty to report it to the authorities. (Whether they can hear while their head is in their ass is another argument)
I could walk down a street knocking on every door to sell vacume cleaners. If I turn every doorknob to see which are unlocked, the neighbors should call the cops. Scanning a foreign class C for open file shares is the equivilant.
Throw a hundred hackers in jail, vs. audit a billion lines of source code. The economics of the situation are fairly obvious IMHO. Make hacking more expensive, and less people will do it. I am confident the spammers that are currently in jail would agree.
-Or something...
-Psy
Unfortunately, people are forgetting, that without respecting RFCs there would be no communication and no Internet at all.
Very sad.
Yours, VB.
No, I do not think that I can get my ISP to do this. However, seeing as how I have a globally routable subnet at my house behind a router that I control that is the uplink to the ISP, I think I can.
Consider:
--- ---
In this case, I control "Rtr A" and any thing behind it. Thus if one of the Hosts issues an "ICMP Host Unreachable" message, "Rtr A" can modify it to look like the packet is coming from it (Rtr A), not the host in question.
Grant. . . .
Personally, I have better things to do with my bandwidth than to have two robots playing games with each other. REJect the connection attempt and get on with your life.
Why are you logging crap that is blocked?
Oh? And how many criminal complaints have you filed? How many convictions? Or are you just wasting time and effort to look as if you are doing something?
How many criminal complaints have you filed? How many convictions? Sending abuse complaints to ISP Ignore-bots doesn't count.
Spend an hour or two looking at the newsgroup archives at groups.google.com and you see millions of articles debating whether it's the equivalent or not. And while they are debating, they are doing absolutely nothing useful.
Oh, and classful networking is just a tad obsolete.
RFC1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan. September 1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338) (Obsoleted by RFC4632) (Status: PROPOSED STANDARD)
RFC2050 ("Internet Registry IP Allocation Guidelines" November 1996) mention network classes in past tense - and that's ten _years_ ago. RFC4632 was released last month if you don't feel you have time to read all of the history.
Why should closed source be audited? The sheep still buy the crap with all of the holes unannounced - mainly because no one writing such code needs to worry about anyone seeing their juvenile coding errors. Also you seem to think that every country has the same laws identifying the same crimes. That is _FAR_ from the case in fact.
Make up your mind - are you referring to assholes who crack into unsecured systems, or the klowns sending you those offers for pills, loans, and who cares what else?
Old guy
All would be clear if you'd read my post from the 6th. If you are unable to put together the two messages in a coherent fashion, your attempt at enlightenment is futile.
-Psy
If by that, you mean , I'm afraid that proves nothing. Would you like to spoof some stupid spammer into believing 162.45.67.89 is wide open for the taking, I think you're missing a few points. Actually, I've already seen idiots using that /16 as a purported source of windoze messenger spam. Contrary to your wildest dreams, three letter agencies, whether the BIA, FBI, NSA or a few others, really have more important things on their tables.
Of the systems I've bothered to trace (relatively easy with TCP, very hard with UDP), most are the usual windoze lusers whose systems are running sluggishly because they are infested with mal-ware. If you think those boxes have even the slightest clue where the controller is hiding, you really ought to spend some time reading at Bugtraq where Matthias Leisi posted some interesting material, or read news.admin.net-abuse.misc and see the posts yesterday from "Spamhuntress". She mentions finding a spam site unwittingly hosted by a church. I'm so sure the FBI would want to arrest those criminals.
By the way, did you ever get your 11000 executables down to something reasonable (I know you posted that you had made substantial headway), or is that why you are posting with windoze?
Old guy
Which would be a good point had I any interest in proving anything.
No doubt. But that doesn't negate the need to address the millions/billions? of dollars in annual damage caused by system cracking, and/or malware.
I am suprised you are unable to bridge the gap between the church that is compromised, and the effects of a decentralized system for collecting data on those responsible for the attack. Perhaps such a system integrated with an RBL would have protected the church in question?
Actually yes, thanks for asking. The box has customers on it now. I've been monitoring it, and it seems both stable and secure.
Am I supposed to be impressed? I run Cygwin. I have customers that send proprietary file types. Don't you?
I'm having a hard time understanding your antagonistic position. Perhaps you are working on something similar and are trying to protect your intellectual property? Don't worry, I haven't published anything, and probably won't. Innovation in your line of work usually has unforseen ethical implications. Been there, done that, regretted it.
-Have a Nice day.
-Psy
There are laws on the books in many jurisdictions around the world that address this problem. You might notice how many are actually being enforced, never mind how many convictions occurred. Jurisdictions have borders, and their authority rarely crosses those.
Hit google, and look up "Stacheldraht" (German for "barbed wire").
That's really funny. You have people who are at their knowledge limits trying to figure out how to use a power switch on a computer, and you're going to add more layers of stuff they have no capability of or desire in understanding? Please remember that the overwhelming majority of computers on the Internet are run by people who don't even understand the concept of a firewall, never mind a blocklist. By the way, she ("Spamhuntress") _called_ the church, and they hung up on her - twice.
Old guy
Correct. I am not proposing a law. Simply a system for reducing the economic investment required to _enforce_ the law.
And why is that? I would estimate that the lack of enforcement is due to the high investment required to acheive enforcement. No ground pounder is going to give up his bullet proof vest so the department can hire an analyst.
However, if you had an open source community-watch application with a broad installation base, then the investment requirements are substantially reduced making the enforcement more plausible.
If granny picks up the phone and reports a burglary next door, it is substantially cheaper than installing a CCTV system, nearly as effective, and has less privacy implications.
At this time there is NO technological equivilant to granny. What I am proposing is that development is this direction may be more fruitfull than insuring that everyone runs ultra-paranoid security policies.
Already done. The latest netscape already includes a psuedo-RBL, and it is fairly idiot proof. And we are taking about a fairly transparent service. How much admin has to be done to run a proxy on a socket commonly used for a backdoor? Uh... Install it. Done! Yay.
Not to mention that it would be effective without the direct assistance of consumers. If 1/100 of the servers out there sported proxy-pots, (proxied honeypots) the results would probably be quite telling.
Lets not forget that security product vendors already have similar practices for doing threat analysis for their own products. Their results are proprietary. My suggestion is an equivilant system that is public domain.
Please remember that you only have to catch the bad guy once in a while. So throwing up your arms and waiting for the Apocolypse because consumers are clueless is rediculous. Consumers have better things to do with their time.
There are plenty of working volunteer based distributed processing systems. The search for primes, and the SETI are examples. I see no reason why a distributed system for trapping hackers wouldn't work. Like I said before, I'm not going to write it. But I predict somebody will.
Of course by that time you'll have moved on to condescending to someone else about some other innovative concept that your confident won't ever be usefull.
-Psy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.