Dailydave mailing list archives

RE: Sending remote procedure calls through e-mail(RPC-Mail)

From: Paul Wouters <paul () xelerance com>
Date: Thu, 21 Oct 2004 00:36:10 +0200 (MET DST)

On Wed, 20 Oct 2004, John Bryson wrote:

Imagine a fairly simple port knocking scheme where you dont have
listening daemons, but sniff the packets off the wire - require users to
hit port 81 then 5 then 5555, in order, and within a small period of
time. Then a firewall hole is opened up for that user to services. And
assume that you get no response at all from the server until you have
completed that. Too many bad attempts from the same Ip and you quit
listening to that ip for perhaps 5 min. [I just spent all of 10 minutes
thinking up this scheme, so there is a chance that it sucks B^) ]


- One machine in the LAN compromises all port knocking 'secured' servers
  in that LAN.
- DoS attack by sending lots of spoofed packets doingbad knocking.

But, how will a worm figure that out? It cant with a simple port scan.


Most machines compromised have a public service which they use to compromise
the machine. Exploits happen more over http then ssh. You're protecting the
rare case, and protecting it badly.

And if you add authentication to that, I think its fairly worm-proof.


Sure, let's to 1024 bit public key by port knocking.....

And it does add some support costs to the organization, which might be
the best reason not to use it. (you have to work out a port knocking
scheme, maybe write some software, and you might need custom clients or
train users)


Yes, all the things that have been fixed before.

- anti replay tactics
- anti insertion protection
- safe session rekeying
- protect again fellow LAN hijackers using the same NATed IP

I mean, you're at a conference, using an open wireless network, NAT'edto a single IP address upstream. You want to open SMTP to your network andstart to portknock your server. You'd receive spam from your own system

before you sent your mail out.

Perhaps it's a thought for an April's fool RFC? :)

Paul
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Sending remote procedure calls through e-mail(RPC-Mail) David Maynor (Oct 19)
- <Possible follow-ups>
- RE: Sending remote procedure calls through e-mail(RPC-Mail) Maynor, David (ISS Atlanta) (Oct 20)
  - RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
    - RE: Sending remote procedure calls through e-mail(RPC-Mail) John Bryson (Oct 20)
    - RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
    - Re: Sending remote procedure calls through e-mail(RPC-Mail) Florian Weimer (Oct 20)
    - RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)
    - RE: Sending remote procedure calls through e-mail(RPC-Mail) Frank Knobbe (Oct 20)
    - Re: Sending remote procedure calls through e-mail(RPC-Mail) Sandino Araico Sánchez (Oct 20)
    - RE: Sending remote procedure calls through e-mail(RPC-Mail) Paul Wouters (Oct 20)