IDS mailing list archives
RE: Intrusion prevention and dDos protection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 27 Aug 2003 14:07:38 -0500
On Tue, 2003-08-26 at 10:31, Rob Shein wrote:
I don't understand how the cloaking would work. It would seem to me that a firewall that drops all inbound packets that are not part of an existing connection is as invisible as a system that isn't online...
The cloaking is nothing else but sending an SYN-ACK back instead of a silent drop. In other words, your TCP 3 way establishes a connection, but nothing else is happening (no tar-pitting etc). When you scan a box it should report that all ports are open. Now you are left to banner grab all ports to see what port is actually a real service and what port is not. The concept is been kicked around for year. Some company is marketing as their 'cloaking' architecture (probably an expensive product :). LaBrea is similar, but acts only on unused IP's and keeps the connection alive. A cloak works more on a port basis than IP basis. I was thinking of hacking ipfilter so that an option 'cloak' would be available, which does nothing else but doing the 3-way and move on. My plan was to copy the routine from block-rst and just change the RST to a SYN-ACK. Unfortunately I have found the time for it... :( Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Intrusion prevention and dDos protection Darren Windham (Aug 21)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 25)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Paul Benedek (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 25)
- <Possible follow-ups>
- RE: Intrusion prevention and dDos protection Darren Windham (Aug 26)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection Frank Knobbe (Aug 28)
- RE: Intrusion prevention and dDos protection Rob Shein (Aug 26)
- RE: Intrusion prevention and dDos protection kgeorgiades (Aug 28)