[ale] Nmap + filtered ports
Brian MacLeod
nym.bnm at gmail.com
Fri Dec 16 18:11:48 EST 2005
On 12/16/05, Chris Ricker <kaboom at oobleck.net> wrote:
>
>
> That's the whole point -- you have to return something if you want it to
> look "normal"
>
> If you connect to a normal, unfiltered port with nothing listening on it,
> a compliant TCP/IP stack does not drop your connecting packet on the
> floor. Instead, it returns a response that lets you know there's no
> service listening on that port:
>
> * for TCP, it returns a TCP reset
>
> * for UDP, it returns an ICMP port unreachable
>
> By using the "-p tcp -j REJECT --reject-with tcp-reset" or "-p udp -j
> REJECT", your filter response is the same as an unfiltered, unbound port's
> response
>
> That's not to say an "iptables -p tcp -j REJECT --reject-with tcp-reset"
> is undetectable, just that it's a lot less obvious than an "iptables -p
> tcp -j DROP". Whether that's good or bad is situation-dependent and
> opinion-dependent ;-)
>
Right, I think I understand this. But the flip side to this is that the
attacker now knows that there is a machine there, whereas if you drop the
packet, he doesn't know whether it is because of a firewall dropping packets
or because it is an unused IP address. If my assumption is correct, hackers
are not going to want to investigate this further since it could be a waste
of time.
Or am I not understanding this correctly?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list