It's an interesting idea. It's similar in concept to the way you set up
stealth IDS systems (attach them to network interfaces with no IP addresses,
or us a cable without any outgoing ethernet pins, see the Snort FAQ).
If you assume the model that all network interaction is driven by the
user's actions (which I don't think is necessarily accurate), then maybe
it would be possible. I guess things that don't route but are essential
to proper operation (like ARP) would still work, but I think the system
would be pretty inefficient. Might be a fun project for you to look into,
though, just to see what could be done with it.
Also, I'm not so sure about your statement on "any TCP-based attack."
Just as an example, I think a Teardrop or Land attack, which require only
incoming TCP packets, could still crash your system unless you took your
interface down or changed the IP address in addition to the route.
All in all, you get basically the same benefits with a personal firewall,
as far as I can see. The latest generations seem to stealth a system
pretty nicely, at least for Windows. I live in hope we'll see some for
Unix/Linux machines soon.
David
At 12:22 PM 10/30/2001 -0800, John Oliver wrote:
>A thought just occurred to me... desktop systems (and even some servers)
>could be almost completely secure if there was a way to dynamically
>allocate and de-allocate routes. If your system has no default route,
>it ought to be safe from any TCP-based attack. If routes to remote
>networks could be dynamically added as needed, and then removed, it
>seems that it would be virtually impossible for an outsider to even see
>that the host exists, let alone be able to root it.
>
>Ideas? Am I just way off the deep end here? :-)
--
David J. Bianco
<[EMAIL PROTECTED]>
PGP Fingerprint: 6B51 7858 36BD 6BC6 3F43 EC45 0025 5241 C57D 8B63
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
