Dailydave mailing list archives
RE: Sending remote procedure calls through e-mail(RPC-Mail)
From: Paul Wouters <paul () xelerance com>
Date: Thu, 21 Oct 2004 00:36:10 +0200 (MET DST)
On Wed, 20 Oct 2004, John Bryson wrote:
Imagine a fairly simple port knocking scheme where you dont have listening daemons, but sniff the packets off the wire - require users to hit port 81 then 5 then 5555, in order, and within a small period of time. Then a firewall hole is opened up for that user to services. And assume that you get no response at all from the server until you have completed that. Too many bad attempts from the same Ip and you quit listening to that ip for perhaps 5 min. [I just spent all of 10 minutes thinking up this scheme, so there is a chance that it sucks B^) ]
- One machine in the LAN compromises all port knocking 'secured' servers in that LAN. - DoS attack by sending lots of spoofed packets doingbad knocking.
But, how will a worm figure that out? It cant with a simple port scan.
Most machines compromised have a public service which they use to compromise the machine. Exploits happen more over http then ssh. You're protecting the rare case, and protecting it badly.
And if you add authentication to that, I think its fairly worm-proof.
Sure, let's to 1024 bit public key by port knocking.....
And it does add some support costs to the organization, which might be the best reason not to use it. (you have to work out a port knocking scheme, maybe write some software, and you might need custom clients or train users)
Yes, all the things that have been fixed before. - anti replay tactics - anti insertion protection - safe session rekeying - protect again fellow LAN hijackers using the same NATed IPI mean, you're at a conference, using an open wireless network, NAT'ed to a single IP address upstream. You want to open SMTP to your network and start to portknock your server. You'd receive spam from your own system
before you sent your mail out. Perhaps it's a thought for an April's fool RFC? :) Paul _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Sending remote procedure calls through e-mail(RPC-Mail) David Maynor (Oct 19)
- <Possible follow-ups>
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Maynor, David (ISS Atlanta) (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) John Bryson (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Florian Weimer (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- Re: Sending remote procedure calls through e-mail(RPC-Mail) Sandino Araico Sánchez (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)