Another possibility is to alter certain parts of an IP header, in order to allow connections with computers that give the correct information. An example of this would be the checksum; if one were to allow connections from computers that show a certain CS in their ACK packet, and if there was a delay of about 15 seconds on each port (active or inactive) before it disallows or allows a connection, then it would take a minimum of 2042 years (under ideal conditions) to check every port. The port assignment would have to be inconspicuous, of course (ie no HTTP on port 80, or telnet on port 23). Similarly, if one were to allow data to be carried by the ACK packet (I believe that the IP5 RFC disallows this), then one could connect to a certain port if he has an even larger number, in this packet, and if this number is large enough, then the need for a delay on every port would be unneccessary because the number of different permutations of the given authentication number could be cosmic in proportion; and if the given client does not have the number in this ACK packet, then the connection is dissallowed. In fact, I am sure that there is already a number of similar products out there, yet they do not authenticate at the protocol layer. >From: Alan Clegg <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: How to keep port scannings away? >Date: Fri, 15 Dec 2000 23:04:15 -0500 > >Unless the network is lying to me again, Martin said: > > > You're right, you can't do anything about port scans. Besides which, > > checking to see if someone's doorknob is unlocked isn't strictly > > illegal, and it's hard to show that someone port scanning is more > > intrusive than that. > >What you *CAN* do, however, is look where the scans are coming from. >If they are from a dialup (guessed via hostnames) or cablemodem systems >(same guess), I let them go. However, when I'm scanned from what *SHOULD* >be a secure system (again, based on hostname), I do whatever I can to >contact the person running the host. > >I've come across several UNIX (primarily Linux) boxes that were compromised >and then used to mount large-scale scans. A bit of detective work was able >to find the appropriate contacts and get the boxes locked down, cleaned, >upgraded, removed, or whatever was appropriate. > >A bit more detective work (depending on the interest of the person that was >compromised), and you may even be able to find out who did it, and >prosecute >them for getting into the system in question. > >AlanC >- >[To unsubscribe, send mail to [EMAIL PROTECTED] with >"unsubscribe firewalls" in the body of the message.] _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
