[rescue] A perverse thought (SGI security division)

Sheldon T. Hall shel at cmhcsys.com
Thu Mar 11 15:35:39 CST 2004


 Caleb Shay suggests ...

> How about this:
>
> 1. Unauthorized connection logged
> 2. SGI tells firewall to add a tarpit on all ports for offending IP
> 3. Script kiddie now gets uncloseable sockets when they try to ssh in
> 4. Potentially they get uncloseable sockets during the portscan
> depending on how fast the rules get updated. The portscan never
> finishes AND it likely forces them to reboot to free up the sockets
>
> Advantages:
> No fiddling with stopping/restarting sshd/inetd and keeping valid
> users from connecting.
> Handles case where somebody runs a ip/portscan all night and then
> tries to connect to anything interesting it found in the morning.  You
> never need to remove the tarpit rules.
> Script kiddie's scanner now hangs the next time they scan your machine

Yeah, I like that even better!

I just have to get a better firewall than a "DSL router" to implement that
sort of thing!

Hmmm.  That brings up another idea ... what if the "standard" response for a
closed port was a fake "open" response?  I.e. if port 23 on every IP address
on the planet replied with

	login:

and just ignored the input, port-scanning pimply-faced script-kiddies would
find the going a lot tougher.  Looking for an open port, instead of being
like looking for a needle in a haystack, would be like looking for a
curare-dipped needle in a needle factory: it would take some work to know if
the one you found was the one you wanted.

-Shel


-Shel



More information about the rescue mailing list